[crazygringo]

Yeah... I do the same thing. 2FA secrets in my password vault.

I KNOW it defeats the purpose. But honestly, where the heck else am I supposed to put them? I know from experience that printouts gets lost, and also that if someone were determined to hack me, the easiest route would be to break into my home and find the printouts.

So I guess I'm technically supposed to subscribe to a second password manager and store just my 2FA secrets inside of that, with a different master password. Or, put the 2FA secrets inside their own encrypted file stored in my password manager, but once again with their own password that... I can't keep in my password manager. But the biggest problem with both of these is I'm going to forget the password. I never forget my password manager master password because I use it weekly. But asking me to remember a password I last used 3 years ago because that's when I set up 2FA? It's not gonna happen.

It all feels so absurd that the UX side of me just rebels. Expecting users to store 2FA secrets in a different place from their passwords that is also just as secure... is just not something normal people are ever going to do.

[rhussmann]

It's misleading to say that storing your passwords and 2FA secrets in the same place defeats the purpose. There are several vectors here, right?

Enabling 2FA on a site (regardless of how or where the 2nd factor is stored) means if a malicious party were to obtain your plaintext password, they still wouldn't be able to access your account. So, outside of the entire discussion of password managers and secrets, 2FA does require a second factor.

Keeping your 2nd factor in the password vault does make the vault a much higher-value target. But it doesn't diminish the fact that if only your plaintext password is compromised (for example through a leak or re-use) the account is still protected until the point the 2nd factor is compromised.

Security is a spectrum, and often at odds with convenience. While demonstrating that something is provably secure is important, I feel we often fall victim to the nirvana fallacy when discussing the practical everyday use of these things.

[hunter2_]

Off topic: remarkable that you've made your first comment from a near-decade-old account!

[rhussmann]

Long-time lurker, first-time caller.

[hunter2_]

> store 2FA secrets in a different place from their passwords is just not something normal people are ever going to do

Normal people, in the sense of people who do what the interface says to do instead of layering anything else on top, are told 2FA means "something you know, and something you have."

"Know" means it exists only in your mind; it is not stored elsewhere. "Have" means you cannot possibly produce it with your mind; it's stored elsewhere.

When abiding by this concept, "storing 2FA secrets in a different place from their passwords" (the former in some electronic or printed format; the latter in one's mind) is simple. Things get complicated when people start storing both in some electronic or printed format, but that's not what any login interface tells people to do.

The neologism "passkey" (a string used in lieu of a password, but which is not memorable, and therefore is destined to be something you "have") will probably help to sort out this concept: there would be no confusion about the fact that combining a passkey with totp constitutes two "have" items, and therefore is 1FA until combined with something else (biometric, probably).

[notpushkin]

I think using a password manager is already 2FA.

Something you have: a password database on your PC.

Something you know: your master password.

TOTP is a nice addon, but you can store it in the same password manager. It will still help with some attacks (e. g. if a hacker manages to MITM your traffic, they only get the password + one code, which is not sufficient to log in again).

[mprime1]

> I KNOW it defeats the purpose. But honestly, where the heck else am I supposed to put them?

Backing up my 2FA codes is one of the reasons that led me to create PortableSecret: https://news.ycombinator.com/item?id=34083366

Some people took issue with my comment regarding ‘not all secrets belong in your password manager’ but your comment is exactly what I meant.