|
|
|
|
|
|
by tetha
877 days ago
|
|
|
I've been in the same mindset as you, but I've changed my mind a bit. Personally and at work, I've started to think about two-ish security classes. The first are the top security things, e.g. my password manager or my github account. For these, I want my password and my second factor far away from each other and I won't add this second factor to my password manager to make it hard to compromise both of them at once. But then there are less important accounts and at work, shared accounts even. Here you get a small benefit: Unless you compromise the secret behind the TOTP (which is the one kind you'd generally store in a password manager), if you can see my password + token for some reason, you only have access for a minute or so. Like I can finally type my password into slack without the account being immediately compromised. And I can get this small edge of security for these less important accounts for almost no effort from the PW manager. Put differently - if you manage to break into my password manager, you'd get access to my less secure accounts either way, no matter if I store the TOTP or not. But having the TOTP active might make some attack scenarios harder, like if you MITM a login request. |
|
|