[blackbear_]

Just consider that storing TOTP codes in the password manager negates the advantage of two factors authentication, namely the added security of needing a second device. This would keep your logins safe even if somebody managed to breach your KeePassXC database.

[StrLght]

> negates the advantage of two factors authentication

Like with all things it depends on your threat model.

If your threat model includes risk of leaking all data from your password manager – then yeah, it worsens your security.

Otherwise it still covers all other risks:

1. it makes bruteforce basically impossible

2. it makes phishing harder (assuming that your password manager supports autofill and that it checks domains correctly)

3. it lowers the risks if a single password leaks

[Aachen]

All of this is true without 2FA, just storing securely generated passwords in the manager.

Whether it negates the benefits of 2FA (i.e. whether it's 1FA) doesn't depend on the threat model. The threat model is what makes an individual decide whether 2FA is worth it

[brnt]

No? Without TOTP in Keepass, an attacker still only requires a password (which may be brute forced or otherwise obtained from badly secured websites). If you have TOTP, they _also_ need a copy of your keepass-file, the password and any other factor to _it_, or have access to your machine during a session or so.

[Aachen]

Think about how the attacker gets there:

- "an attacker still only requires a password (which may be brute forced" Brute force? Then it wasn't generated securely. Use Keepass' built-in generator or another one that is meant to generate passwords with. You could make the same argument for the 2FA seed: that can also be generated insecurely or set manually by hand

- "or otherwise obtained from badly secured websites" The attackers can obtain the 2FA seed in the same way. Furthermore, the 2FA seed is stored plaintext in the website's database whereas the password is typically stored in hashed form (which is unbruteforceable if you generated it securely)

- "they _also_ need a copy of your keepass-file, the [main] password" The attacker either got the website's password from this same file (so they evidently have that file and the main password to unlock it), or if you imagine a scenario where the site got hacked and the stupid site stored your password in plain text, then they have access to the site (and the 2FA seed) anyway because they hacked it. So long as you don't re-use passwords (don't need 2FA for that, just a password manager), a site's breach has no impact beyond this one site that was hacked outside of your control

- "and any other factor to _it_" Do you mean the key file here? Or what other factor? Either way, again: if they need that to open the vault then they can't get at the passwords either, so what benefit does {2FA when stored inside the password vault} have?

I don't know of a scenario where an attacker can get the website's password from the vault, but not the website's 2FA seed, when you store both inside that same (encrypted) file

[brnt]

1. TOTP (the only 2F we could be discussing) is derived in a specific way by e.g. Keepass, which has been audited. There is an RFC for this. I don't see the vuln here. 2. But this info is transferred just once, so the method relies on either intercepted both (pw and TOTP seed) that one time. Far less likely than intercepting just the pw every time you login. With a compromised or insecure server: all bets were off already. 3. Even if you have safe service-dependent passwords, as one should, 2F renders it useless in certain scenario's, if all they have is the password. 4. Yes, factors to the keyfile. It does not have to be just a password.

While it seems a reasonable assumption that 2F seed and password are stored alongside eachother, the vuln does not need to expose both. We don't know. But we do know more factors means more opportunity for 1 factor to be accidentally safe.

[hypeatei]

It doesn't negate the advantage of 2FA. There are so many scenarios that don't involve your entire password manager database being leaked in plaintext. In that case, you likely have much more to worry about considering the attacker has a bunch of places to pivot from (account recovery flows, recovery email accounts, etc..)

[wolvesechoes]

You are allowed to have two separate databases, with different passwords. You can even store them on different devices!

[speedgoose]

It’s still one device.

[quchen]

The second factor does not have to be a second device. Like everything security, it’s what you’re protecting against. Shoulder surfing and device theft are not something I worry about in my home setup, for example.

[Aachen]

> The second factor does not have to be a second device. Like everything security, it’s what you’re protecting against.

It doesn't matter if you store your 2FA seed on a billboard or as a tattoo where the sun doesn't shine: 2FA means two factors. The definition doesn't change when your home setup's threat model doesn't call for 2FA and you thus decide to store two secrets in the same place (making a compromise of one necessarily a compromise of the other, thus 1FA)

[wolvesechoes]

> making a compromise of one necessarily a compromise of the other, thus 1FA

The only necessity is logical necessity, and it doesn't apply there.

[Aachen]

You're saying you can store two pieces of information in one file, without a compromise of one implying a compromise of the other? Do elaborate

[brookst]

This is so wrong. You’re conflating where things are with what they are. Two factors does not mean two devices.

[speedgoose]

Yes it depends on your treat model. But being defeated by one simple keylogger isn’t a risk I’m willing to take even at home.

[AstralStorm]

And yes, 2FA single use codes will protect against a simple keylogger.

But if its on the same device, it will not protect you against a password database harvester.

[alanfranz]

If you login from your phone, it’s still one device. Should we have different totps for different devices?

Something that you have can be your own pc.

[Aachen]

You're onto something even banks don't seem to understand! The industry standard for doing financial transactions calls for 2FA but then they make a mobile app that can self-approve transactions. Yes, using only one mobile device is 1FA, just like using one desktop only, but people generally consider mobile OSes safer because the permission model and process isolation is on a whole other level

[broken-kebab]

There's a grain of truth in your statement, but no matter how hard it's to accept for all of us nerds here, in real life words are defined by usage. If industry calls it 2FA, users call it 2FA, then it's 2FA.

[Aachen]

They can call the sky green but unless the wavelength changed, I don't see the benefit of taking over that terminology, no matter if you're a user or a nerd or both. That's the real-life situation: sky isn't green, idk why anyone would need to "accept" that or not when it factually isn't the case

[wolvesechoes]

If you store two databases on two devices it makes them suddenly one device? What kind of security sorcery is this?