Hacker News new | ask | show | jobs
by fauigerzigerk 852 days ago
>In what cases would your password vault be compromised, but your TOTP vault still be secure?

If the password vault is on one device and the TOTP app on another then it would be harder for an attacker to get into both.

I have the same concerns about passkeys. How is it secure if the only thing an attacker needs is a single method of accessing a single device?
2 comments
lamontcg 852 days ago
Generally the threat model that TOTP protects against is not someone breaking into your device. The threat model that it protects against is someone compromising your other credentials. So, although not recommended, you could post your login credentials on twitter and still nobody would be able to get into your account. An attacker hacking into your laptop/desktop/phone with access to install keyloggers and hijack connections is not really what it protects against.
link
fauigerzigerk 852 days ago
>Generally the threat model that TOTP protects against is not someone breaking into your device.

And yet, in some realistic scenarios TOTP does protect me against that, if the second factor is on a different device, kind of like a poor man's yubikey.

link
lamontcg 852 days ago
Not if I'm on your device and hijacking your already-authenticated connection. I just need to be careful enough to do it in the background in such a way that you don't notice.
link
fauigerzigerk 852 days ago
If my device got stolen I would remove the device from my accounts immediately. And without the second factor you wouldn't be able to do anything about it.
link
lamontcg 851 days ago
The threat is that your device is infiltrated right now.
link
patrakov 852 days ago
In a corporate setup, it also somewhat protects against intentional policy-violating password sharing between employees.
link
powersnail 852 days ago
> How is it secure if the only thing an attacker needs is a single method of accessing a single device?

You should have two-factor for your password vault as well, and that TOTP is stored on a separate device.

In other words, you replace the model of having password+TOTP for every account, to having one password+TOTP for your password vault, and effectively treat that password vault as an authentication service for yourself.

link
fauigerzigerk 852 days ago
That's a good idea.

Now I just have to find out how to configure this for passkeys.

link