Hacker News new | ask | show | jobs
by nicoburns 1073 days ago
> Is it really multiple factor auth if you're using the same device for the password and automatically filling in the token

No it's not, but plenty of services force MFA, even if the user doesn't want it. And in those scenarios it seems perfectly reasonable to store the 2FA token in a password manager. For some things (frankly most things) 2FA isn't critical as long as you have a high-quality password.

I would also point out that given that most people:

1. Have 2FA codes on their phone (either as SMS or TOTP)

2. Have their password manager installed on their phone (if they use one)

Then in many ways the phone (something easily lost!) becomes a single point of failure anyway.
1 comments
luke-stanley 1073 days ago
So you're saying it's insecure anyway. So why bother? Hmm.
link
nicoburns 1073 days ago
I think I'm saying:

1. The case in which 2FA is really key is when you have short password (or worse, a reused password). That leaves you open to bruteforce attacks, and attacks where your email/password combination that was leaked from one service is reused to gain access to another service. But this is generally much less of an issue with a password manager where you are likely using a long random password that is unique per service.

2. 2FA is still an extra layer on top of this, but perhaps isn't super necessary for a lot of less critical services. The chances of your password being compromised are pretty small.

3. Particularly with SMS 2FA, there may be attacks which are present for that that are not present for password-manager based TOTP. For example, attackers may be able to read SMS messages off a phone's lock screen without unlocking the phone. So it's not obvious that this is strictly worse than other options.

4. I think the ideal (aside from U2F tokens) is probably 2 separate password managers, syncing to different clouds (if syncing): a first factor one and second factor one. If one is being really picky: then on separate devices. But this seems like it's probably overkill in most circumstances. Perhaps it makes sense to do something like this for a few key accounts (email, etc), but not everything?

link