| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by jerf 532 days ago

Putting your 2FA into your password manager doesn't "reduce" it to "something you know". It proves it was "something you know" all along. If it can be put into a password manager, it's "something you know", regardless of what the intention is or was. Intentions don't drive what things actually are.

On a related notes, "passkeys" are also "something you know" for the same reason.

However, that does not mean that TOTP codes are useless. Not all "something you know"s are created equal. However, I shamelessly put my TOTP codes into my password manager. Just because some people mistakenly identified it as "something you have" doesn't mean I need to pretend they are correct. It just inconveniences me for no security gain.

1 comments

dns_snek 532 days ago

> If it can be put into a password manager, it's "something you know", regardless of what the intention is or was. Intentions don't drive what things actually are.

That's not a useful distinction and needlessly breaks an otherwise useful model. By that logic, every authentication method is just "something you know" since every piece of information can be represented as a stream of bits, and password managers are well equipped for storing it. That includes your face, fingerprint, and DNA.

jerf 532 days ago

I agree with your last sentence and I am finding the know/are/have model actually quite useless in practice, for that very reason. It's all really just variants on knowing, and rather than breaking the world into three categories, two of which don't really exist, it's much more sensible to look at what the differences between the classes of "knowing" is.

For example, while I "know" my TOTP codes, it is relevant that they can not be memorized. While I "know" my passkeys, the differences in how that knowledge is interrogated is relevant. What isn't useful is modeling either of those things as "have" versus "know", because by putting them in my password manager, I have objectively broken them as a concept of "thing I have".

But people marry their models, so it'll be a while for this to get through our collective skulls. It looked so useful at first.