[luke-stanley]

It grinds my gears when password managers bundle 2FA/MFA without pointing out how this weakens the security of it, or discussing mitigations. "Proton Pass makes 2FA easier with an integrated authenticator that stores your 2FA codes and automatically displays and autofills them." Is it really multiple factor auth if you're using the same device for the password and automatically filling in the token? It's not a unique failure of Proton Pass but, people reading this should rightly be sceptical and this is a significant failing. When I read their audits on Proton Drive, I see that the web page claims the PDF is end-to-end encrypted. But the link with the key in the URL hash is public. It's a poor demonstration of their technology. When I see the defects that were found by the audits, it doesn't leave an amazing impression. It's great that they have an open source client and do open audits though. Claiming it's open source, does come across as hype without a server too though. Overall this is a welcome thing but it's very rough around the edges, I wouldn't feel it's a compelling offering yet with these big issues.

[LelouBil]

I saw someone refer to that at 1.5FA, and I agree with them. It's still multiple factors if the weakest link is the websites you are using your passwords on. If your password gets leaked they still need the password manager vault to get a 2fa code. However if your vault gets compromised then it's not 2FA

[nicoburns]

> Is it really multiple factor auth if you're using the same device for the password and automatically filling in the token

No it's not, but plenty of services force MFA, even if the user doesn't want it. And in those scenarios it seems perfectly reasonable to store the 2FA token in a password manager. For some things (frankly most things) 2FA isn't critical as long as you have a high-quality password.

I would also point out that given that most people:

1. Have 2FA codes on their phone (either as SMS or TOTP)

2. Have their password manager installed on their phone (if they use one)

Then in many ways the phone (something easily lost!) becomes a single point of failure anyway.

[luke-stanley]

So you're saying it's insecure anyway. So why bother? Hmm.

[nicoburns]

I think I'm saying:

1. The case in which 2FA is really key is when you have short password (or worse, a reused password). That leaves you open to bruteforce attacks, and attacks where your email/password combination that was leaked from one service is reused to gain access to another service. But this is generally much less of an issue with a password manager where you are likely using a long random password that is unique per service.

2. 2FA is still an extra layer on top of this, but perhaps isn't super necessary for a lot of less critical services. The chances of your password being compromised are pretty small.

3. Particularly with SMS 2FA, there may be attacks which are present for that that are not present for password-manager based TOTP. For example, attackers may be able to read SMS messages off a phone's lock screen without unlocking the phone. So it's not obvious that this is strictly worse than other options.

4. I think the ideal (aside from U2F tokens) is probably 2 separate password managers, syncing to different clouds (if syncing): a first factor one and second factor one. If one is being really picky: then on separate devices. But this seems like it's probably overkill in most circumstances. Perhaps it makes sense to do something like this for a few key accounts (email, etc), but not everything?

[jonvk]

> But the link with the key in the URL hash is public.

Only if is shared publicly. The fragment (part of the URL after the hash) is not sent back to the server by browsers. It can also be coupled with a password which can be sent over a second channel when one is more concerned about the communication channel being compromised, than convenience.

Disclaimer: I work on Proton Drive

[protonmail]

It's really no different to having say, a password manager, and Google authenticator both installed on the phone. At that point, you might as well combine both into a single app for more convenience. And if you don't want both on your phone, then either you don't use 2FA or don't use a password manager, both of which probably leave you worse off.

Btw, the thing you mention for Proton Drive is only for files which are shared publicly. For sure the audit results are not perfect when viewed in isolation, but when compared to other password managers, it's another story.

[thiht]

It depends on your threat model.

If my Bitwarden vault gets leaked AND their encryption gets broken, I’m fucked anyway. So I might as well just store my 2FA keys in it too.

I’m more interested in protection against keyloggers, and leaks from the database of the sites I use. And for my critical accounts (Gmail…) I use a physical key for 2FA.

[shawnz]

> Is it really multiple factor auth if you're using the same device for the password and automatically filling in the token?

Yes, the two factors are having the device with the password database on it, and knowing the unlock code for the database or being the biometrically identified owner

[luke-stanley]

You might say those are 2 factors, but when it's happily auto-filling passwords and MFA codes automatically, uhh, that's a lot of trust in computer built to run arbitrary code, let alone Javascript etc in a browser environment! Maybe it's 1.5 factor? It's not truly separate. To encourage people to do this with no warning is irresponsible. Variants of timing attacks that can result in arbitrary code execution come out often. Browsers have such a massive attack surface.

[shawnz]

Expecting users to remember individualized passwords and maintain separate authentication factors for every service is placing a lot of trust in the user! I think this is a case where it's reasonable to think that automation might actually lower the overall risk.

Furthermore I don't think maintaining individual factors for every service would protect you very much against a browser compromise.

[cumshitpiss]

Nothing wrong with your second factor being the same device.

The point is to combine something you know with something you own. The thing which you own can contain your passwords too.

[omniglottal]

When the something you own contains passwords, it replaces something you know and all you are left with is one factor: the device.