[cheald]

I think it's a terrible idea, because it dramatically decreases the attack surface area needed to compromise accounts. 2FA is supposed to be "something you know' and "something you have"; putting your 2FA seeds into your password manager reduces your 2FA to "something you know", and, significantly worse, it's "something you know in the same place as the other thing you know".

The time-variant component is still quite valuable, but it does nothing to protect you in the event of a password manager compromise. This is not a hypothetical; LastPass has suffered multiple breaches, and the more popular a solution, the more likely there are to be attacks against that solution. By keeping your 2FA separate from your password manager, even if it's still just "something you know", it's something you know in a location that's orthogonal to your passwords. If I yield to convenience and use a 2FA desktop app, then now, instead of just attacking my Bitwarden install, you have to successfully attack my Bitwarden install and my 2FA desktop app install to get access to my accounts, and the combination of password managers * 2FA managers is a substantially larger attack surface and requires a significantly more sophisticated attack to get both pieces.

The arguments in the article come down to "well, 2FA mitigates phishing attacks" (true) and "Google Authenticator means you can lose your data easily" (also true). But neither of these is a good argument for why the data should be kept together. It just means "use 2FA", and "use a 2FA manager that lets you directly manage your seeds and keep offsite encrypted backups".

If you can't be bothered to do it properly, then 2FA codes in your password manager is certainly better than not using 2FA at all, but that just makes it a less terrible solution, not a good one.

[jerf]

Putting your 2FA into your password manager doesn't "reduce" it to "something you know". It proves it was "something you know" all along. If it can be put into a password manager, it's "something you know", regardless of what the intention is or was. Intentions don't drive what things actually are.

On a related notes, "passkeys" are also "something you know" for the same reason.

However, that does not mean that TOTP codes are useless. Not all "something you know"s are created equal. However, I shamelessly put my TOTP codes into my password manager. Just because some people mistakenly identified it as "something you have" doesn't mean I need to pretend they are correct. It just inconveniences me for no security gain.

[dns_snek]

> If it can be put into a password manager, it's "something you know", regardless of what the intention is or was. Intentions don't drive what things actually are.

That's not a useful distinction and needlessly breaks an otherwise useful model. By that logic, every authentication method is just "something you know" since every piece of information can be represented as a stream of bits, and password managers are well equipped for storing it. That includes your face, fingerprint, and DNA.

[jerf]

I agree with your last sentence and I am finding the know/are/have model actually quite useless in practice, for that very reason. It's all really just variants on knowing, and rather than breaking the world into three categories, two of which don't really exist, it's much more sensible to look at what the differences between the classes of "knowing" is.

For example, while I "know" my TOTP codes, it is relevant that they can not be memorized. While I "know" my passkeys, the differences in how that knowledge is interrogated is relevant. What isn't useful is modeling either of those things as "have" versus "know", because by putting them in my password manager, I have objectively broken them as a concept of "thing I have".

But people marry their models, so it'll be a while for this to get through our collective skulls. It looked so useful at first.

[aimazon]

If my primary device is compromised and my master password is compromised and the device that I use for second factor authentication into my password manager is compromised then the secondary device that I could use for 2fa codes is compromised. For most normal people, storing second-factor codes in Bitwarden alongside passwords is marginally worse at worst, and inconsequential at best.

Yes, if you use a bad password manager that is fundamentally flawed (like LastPass) then all bets are off but that's not an argument against the principle of storing 2fa codes alongside passwords in a password manager.

I doubt there's a single Bitwarden user on earth who has ever suffered a security incident because they store their 2fa codes in Bitwarden, that's how inconsequential this risk is.

[patrakov]

Unconventional opinion here.

Passwords in the password manager are not "something you know" anymore. They are "something you have". So, no matter whether the TOTP codes are stored in the same app or a separate device, you can no longer properly call them 2FA. It's 2x "something you have" in either case.

EDIT: user "jerf" in the same comment thread says that it is 2x "something you know". The distinction whether something stored counts as "something you know" or "something you have" does not really matter. In either case, it is 2x the same type of a factor. --END EDIT.

From the "difficulty to compromise something" standpoint, you are, of course, right that storing the TOTP seed in a separate device is better. But look, this is not the primary reason why websites need to implement TOTP. The very fact that hackers need to compromise your device in order to get access to your account is already indicating a higher-than-usual security level, even without 2FA, and the article fails to notice this. Besides, the article only presents a user-centric viewpoint, while the viewpoint of a website owner would be more relevant here.

The main problem solved for real by TOTP is that users select stupid passwords like "Zhong+wen" that are guessable yet still pass complexity requirements, or reuse passwords on multiple websites (and your website cannot check for that), thus enabling compromise of the user's account on your website if another website gets hacked.

The main security reason (from the website viewpoint, not from the user's viewpoint) for TOTP introduction is, thus, to introduce a high-entropy factor which is (unlike a password) not chosen by the user, guaranteed not to be reused elsewhere, and thus cannot be guessed or compromised without access to the user's devices. This benefit is not invalidated by you storing the 2FA secret in the password manager.

[ashitakamonkey]

Doing it properly is the key part I think a lot of people miss.

People often skip out on actually assuming responsibility for their data and accounts. A backup system should be in place and ensuring their 2FA codes are not lost with their device is part of that taking on responsibility.

[Al-Khwarizmi]

You speak as if 2FA were something that most people use willingly and not just something they put up with because they're forced to.

[cheald]

Which is precisely why it's irresponsible to give people the rope to hang themselves with by supporting 2FA seeds in password managers (much less telling them it's a good idea), IMO.

People take the path of least resistance; we know this. It's why, for the longest time, people used one password for everything. People don't like using password managers, either, but we would all agree that it's unacceptably insecure to not use them, because the alternative is "one password used everywhere, maybe with a single varying digit on the end".

[Trasmatta]

> People take the path of least resistance; we know this

If you remove the ability to store 2FA codes in password managers, the path of least resistance becomes "people don't use 2FA at all".

[cheald]

I don't think that's true at all. 2FA has been a popular solution for many years, well before the addition of TOTP support to the popular password managers.

[pwg]

For some sizable amount of the user base, assuming they can even be convinced to use a password manager in the first place, not being able to also store 2FA codes in the manager will become their excuse to not use 2FA codes.

A great expanse of users (note, not normally the ones who frequent HN) see all these 2FA codes, and passwords as well, as just an irritating impediment to accomplishing whatever goal it is they wish to accomplish at the time.

[Trasmatta]

Was it actually popular among non tech people? I feel like nobody I knew outside of developers had ever used a 2FA code until maybe 3 or 4 years ago (unless they were forced to)

[starky]

I agree. Give the average person the ability to make a good enough decision for their online security with minimal effort. I'm having a hard time being that concerned with TOTP 2FA being an option in the same location as passwords when the most important accounts people have are often limited to completely unacceptable SMS 2FA (looking directly at you financial institutions). Whatever it takes to get people off SMS and Email 2FA is a big win in my book, even if it isn't the best option.

[mlfreeman]

> it does nothing to protect you in the event of a password manager compromise. This is not a hypothetical; LastPass has suffered multiple breaches, and the more popular a solution, the more likely there are to be attacks against that solution.

You can mitigate this risk by not depending on your password manager app to do cross-device sync..keep a file on Dropbox/OneDrive/iCloud Drive/SFTP/etc and use an app like KeePass/Strongbox/etc that just deals in managing credentials.

My KeePass file storage provider doesn't know what the hell I store there because it's encrypted (I hope there are no known issues with KeePass's crypto)

As a bonus, you can keep offline backups to mitigate other risks like house fire, lightning strike induced EMP frying things (happened to me), storage vendor goes out of business, and more.

-------------

I think in the end, there is no universal solution - you really have to try to be reasonable about estimating your own personal threats and risks (such as asking "am I more likely to suffer a password manager compromise or more likely to break a device?") to decide whether to keep 2FA next to passwords or not.

[nlawalker]

> But neither of these is a good argument for why the data should be kept together

The argument is "because many people, if they can't keep the data together, will elect not to use 2FA at all if given a choice."

[eek2121]

I guess that would depend on execution. If your password manager uses strong encryption and you also use MFA for it (a yubikey for example), I imagine it isn’t all that less secure. Your point still stands, however.