[gregmac]

> I also use bitwarden, but not sure how I feel about passwords and totp being in the same app.

I guess this depends on your threat model. In what cases would your password vault be compromised, but your TOTP vault still be secure?

If someone gets access to your unlocked PC/phone, don't they then have access to both? Do you store your TOTP vault password in your password vault (obvious)?

If someone gets into your password vault, why wouldn't the same mechanism also let them get into your TOTP vault? (This applies whether it's brute force, keylogger, hardware exploit, or $5 wrench.)

[Fishkins]

> I guess this depends on your threat model. In what cases would your password vault be compromised, but your TOTP vault still be secure?

If Bitwarden is compromised, like LastPass was. Of course the vault should still be encrypted, but I don't want to rely on a single company managing everything correctly. It seems much less likely that two different companies will be compromised at the same time.

[EasyMark]

that's been my attitude, both are keyed to my face id, otherwise encrypted. my phone times out really quickly if i'm not typing away on it. I feel relatively safe. I wonder though how much longer they will maintain the phone apps. All my desktop versions are verified from my phone, so them dropping the desktop sucks but isn't catastrophic.

[fauigerzigerk]

>In what cases would your password vault be compromised, but your TOTP vault still be secure?

If the password vault is on one device and the TOTP app on another then it would be harder for an attacker to get into both.

I have the same concerns about passkeys. How is it secure if the only thing an attacker needs is a single method of accessing a single device?

[lamontcg]

Generally the threat model that TOTP protects against is not someone breaking into your device. The threat model that it protects against is someone compromising your other credentials. So, although not recommended, you could post your login credentials on twitter and still nobody would be able to get into your account. An attacker hacking into your laptop/desktop/phone with access to install keyloggers and hijack connections is not really what it protects against.

[fauigerzigerk]

>Generally the threat model that TOTP protects against is not someone breaking into your device.

And yet, in some realistic scenarios TOTP does protect me against that, if the second factor is on a different device, kind of like a poor man's yubikey.

[lamontcg]

Not if I'm on your device and hijacking your already-authenticated connection. I just need to be careful enough to do it in the background in such a way that you don't notice.

[fauigerzigerk]

If my device got stolen I would remove the device from my accounts immediately. And without the second factor you wouldn't be able to do anything about it.

[lamontcg]

The threat is that your device is infiltrated right now.

[patrakov]

In a corporate setup, it also somewhat protects against intentional policy-violating password sharing between employees.

[powersnail]

> How is it secure if the only thing an attacker needs is a single method of accessing a single device?

You should have two-factor for your password vault as well, and that TOTP is stored on a separate device.

In other words, you replace the model of having password+TOTP for every account, to having one password+TOTP for your password vault, and effectively treat that password vault as an authentication service for yourself.

[fauigerzigerk]

That's a good idea.

Now I just have to find out how to configure this for passkeys.

[nucleardog]

> I guess this depends on your threat model. In what cases would your password vault be compromised, but your TOTP vault still be secure?

Key logger?

I unlock my password vault frequently. I only unlock my TOTP vault to:

1. Add a new secret 2. Recover access to an account if my authenticator has died.

Since I unlock my TOTP vault so infrequently, the number of hashing rounds/etc are tuned to be _much_ slower and require _much_ more memory. It uses an entirely separate set of credentials from my main vault. And you're unlikely to snag the password unless you're watching me for a long time or get very lucky.

[mos_basik]

ahhhhhhhhhhh!

Wow, this might be the answer to a question that's been bugging me for a while!

It didn't seem right to keep all of my TOTP secrets isolated on one easily lost/stolen/broken device (phone), so when I realized KeePass supported generating TOTP codes I moved all my TOTP secrets into my password database (which is synced around all my devices) then deleted the single-purpose authenticator app as unnecessary.

But then it didn't seem right to have all of my TOTP secrets live in my normal vault with my credentials since that loses the "second factor". Nor did it seem like it would help to make a separate database for TOTP secrets and sync it around too - still no second factor, plus added friction to open both databases on every login.

But as you say, I could keep TOTP secrets in two places - in an authenticator app on my phone with no syncing for daily use (keeps the two-factorness cause it's on a single device, and is low friction cause it piggybacks on the security of my phone and doesn't require a separate login) AND in a TOTP specific password database that's synced around but opened only rarely (in the cases you described).

Thanks for the hint about tuning hashing rounds; didn't know that could be configurable! Looks like KeePass supports that too; I'll look into that.

[jdeibele]

I use iCloud Keychain because I use a Mac, iPad, and iPhone.

I use Authy with Face ID protecting the entire app on my phone. I don't use the Desktop app because it won't use Touch ID, meaning I have to type in a long master password.

I don't see an attack as likely to happen (I own no Bitcoin, not a billionaire, not in charge of anyone else's secrets) but if there was a flaw that let somebody access the passwords on my Mac or iPhone, they'd still need the 2FA codes from my phone. I think that's more likely to happen on the Mac because I do have apps downloaded from somewhere else besides Apple's App Store.

My guess is that most of the people who worked on Authy have fallen by the wayside after the Twilio acquisition. It's annoying every time I have to search the boxes on my phone or the list on my watch: can't we please have alphabetization?