[Skunkleton]

That's not correct, at least depending on your threat model. Having a password stored + totp in a password manager does give the advantage of protecting you against the loss of the stored password itself.

Specifically with 1password I have all three factors you've mentioned above. 1) knowledge - my vault password is memorized, 2) inherence (?) - biometrics used to unlock the vault on trusted devices, 3) possession - my account requires a security key to unlock.

[microtonal]

Having a password stored + totp in a password manager does give the advantage of protecting you against the loss of the stored password itself.

Which becomes far less relevant when using a password manager, because people don't reuse passwords anymore. Password managers also autofill, so eavesdropping on a password is also not possible anymore. One of the primary vectors for compromising passwords is compromising the password manager, which would also compromise the TOTP codes if they were in the password manager. You have much stronger protection against that if your TOTP codes are stored on a separate device.

That said, TOTP is also pretty terrible because does not really protect against phishing (just make a phishing site proxy both credentials).

Hardware keys are the only really secure solution if you consider password manager compromise as part of your threat model.

Remember that password managers are comprisable, just look at LassPass' history.

[adastra22]

...how? Loss of the stored password would mean loss of the TOTP too.

[goupil]

If your 1password is compromised, then loss of the password would mean loss of the TOTP, in which case TOTP doesn't help.

But there are other scenarios where your password could be stolen without someone getting access to your 1password, for instance if your connection isn't protected and a man in the middle can intercept your password.

In the end, I would argue that having TOTP in the same place as your password is weaker than having it somewhere else, but it's still better than no 2FA

[tempestn]

Another one would be a password change attack. TOTP in 1pw protects you against almost all of the things TOTP normally would, except an attacker somehow gaining access to your vault. But in order to gain access to your vault, they would almost certainly need access to one of your unlocked devices, thanks to the 1pw secret key, which is required in addition to your master pw to unlock the vault on a new device. And if they have that, thrn they would have your second factor even if it were in a separate app.

[microtonal]

But there are other scenarios where your password could be stolen without someone getting access to your 1password, for instance if your connection isn't protected and a man in the middle can intercept your password.

Then they could also intercept your TOTP code, which is valid for a pretty long time by default (remember that the TOTP code is accepted for some time after the counter goes to 0 to account for transmission delays, slightly out of sync clocks, etc.) and use that to log into your account.

TOTP does not protect against modern forms of phishing. You need something like FIDO2.

[goupil]

That's a very valid point, as an automated attack could then be performed. I guess it would at least help against an attacker that would be manually checking what's inside the packets captured, or that would let his attack passively capture everything for a while and then proceed to attack.

[coldtea]

Say I store a password for service X on 1P.

The password becomes known to attackers somehow.

That doesn't mean they have access to my TOTP for the service, even if it's managed by the 1P app.

Loss of 1P's password/key would indeed also mean loss of my TOTP. But then one would have much bigger problems anyway, except if all their 1P passwords also had an external TOTP.

[microtonal]

The password becomes known to attackers somehow.

Let's work through the scenarios:

- Eavesdropping on you, doesn't happen because you use the password manager's autofill.

- Hacking service X, TOTP doesn't matter. They'll have the TOTP shared secret, but who cares anyway, they have access to your whole account.

- Using the same password across sites -> shouldn't happen either, this is why you are using a password manager.

- Phishing: while they cannot access your TOTP secret, they can just ask you a TOTP code while phishing as well and log onto your account.

So what is this scenario where an attacker knows your password, needs your TOTP, but doesn't have it? The primary scenario I can think of is where they somehow compromised your password manager, but you stored your TOTP secrets on a separate, uncompromised device (like your phone).

[coldtea]

>- Eavesdropping on you, doesn't happen because you use the password manager's autofill

Not necessarily always, I could also copy paste from the password manager (e.g. for some app that doesn't support the autofill), write it from memory at some point, and so on.

Password manager just means "place to store passwords safely", it doesn't mandate the passwords are generated by it, that autofill and browser extensions are used, and so on.

>- Hacking service X, TOTP doesn't matter. They'll have the TOTP shared secret, but who cares anyway, they have access to your whole account.

They can (and often do) hack and get the passwords, but not at the same time have access to the account data. E.g. just hack the auth, or have the password file/db leak, etc.

>- Using the same password across sites -> shouldn't happen either, this is why you are using a password manager.

Doesn't matter, can still happen anyway. Not all passwords were created with the password manager, and some someone might not have bothered to change once he added them there.

>- Phishing: while they cannot access your TOTP secret, they can just ask you a TOTP code while phishing as well and log onto your account.

That's still about them not having and needing your TOTP.

>So what is this scenario where an attacker knows your password, needs your TOTP, but doesn't have it?

For starters, the case where they "ask you a TOTP code while phishing" and you don't give it to them.

It's not mandatory that you're prone to their phishing.

[jackweirdy]

> - Eavesdropping on you, doesn't happen because you use the password manager's autofill.

I rate this more likely and it’s one reason I still use TOTP stored in the same place as the password for other services.

A lot of sites are susceptible to cdn JavaScript compromises, and at least with TOTP stored in the same place as the password, a password replay attack has a very tight window of usability

[gregoryl]

Only if the vault is cracked. If it's intercepted somehow, or pulled from a database dump, the 2FA token will still be secure.

[adastra22]

I don't see those as realistic. Session interception largely isn't a thing anymore, unless we're talking about nation-state levels of attackers, and if the service is storing your password unhashed then I sincerely doubt their 2FA is configured in a secure way anyway.

[jackweirdy]

I think it’s not a nation state actor thing. In 2018 British airways checkout got popped by a JavaScript being library being changed to eavesdrop credit cards. The same thing could easily happen with password forms

Granted they didn’t break the session in flight, but there is a low bar to achieve the same thing

[eschatology]

if your network is compromised I can read your password but not totp

if I hacked a website you’re registered to and you had reused your password I got your password but not totp

if I broke through your computer and password manager then yes it’s all over, but this is not the only threat model and frankly the least i am worried about

[nucleardog]

> if your network is compromised I can read your password but not totp

What part of my network? The password is being encrypted in my browser, sent over an encrypted and authenticated connection, and decrypted by the service I’m logging in to.

The only real place to compromise here is before the “browser sends this to SSL library” part in which case you’re already on my local machine and you can just grab everything in my password manager when I unlock it.

> if I hacked a website you’re registered to and you had reused your password I got your password but not totp

If you’re not using a password manager and a different password for each service, then yes, using TOTP provides a large security benefit.

If you’re using a password manager it is probably specifically to avoid password re-use, so this doesn’t apply in most cases.

> if I broke through your computer and password manager then yes it’s all over, but this is not the only threat model and frankly the least i am worried about

If you’re on my computer, yeah, you’ve got both and the TOTP, they do nothing.

So there’s no scenario here where “password manager for passwords + TOTP” is decreasing my risks in any meaningful way.