this post was submitted on 05 Jun 2024
46 points (78.0% liked)
Open Source
31118 readers
329 users here now
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Useful Links
- Open Source Initiative
- Free Software Foundation
- Electronic Frontier Foundation
- Software Freedom Conservancy
- It's FOSS
- Android FOSS Apps Megathread
Rules
- Posts must be relevant to the open source ideology
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon from opensource.org, but we are not affiliated with them.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I generate a TOTP with my password manager, it stores all my other login details and keeps it simple.
That seems like it defeats the "2" part of 2FA. If your password manager is compromised the attackers now how complete access.
Technically true.
You are right, having the password in the same vault does mean that if the vault itself is compromised they have both. Guess I could move the TOTP to a separate authenticator app but the only other apps I have a mobile only and there are times I need to login without having hands on my phone.
I guess the time based aspect of the TOTP makes it a little more resistant to having someone monitor my keystrokes or clipboard or whatever and capture a relatively long lived secret like my password. So I guess its a comprise I'm willing to make.
That's minimal to me. I chose 1password for this exact reason, read all of their technical docs.
1password uses encryption with a 2-part key, your password and your "Secret key" which is essentially a salt. Combining those two, they encrypt your entire storage blob and store it. They're very clear that there is no backdoor, there it is encrypted using your keys, and they do not store those keys anywhere - and that if you lose your keys you're out. There are zero recovery options. Which I love. (Which means I do not recommend it to non tech folks who will probably lose one of these keys)
So the secret key is similar to a guid, can have that written down somewhere, and your password should never be written down anywhere, and be completely unique. Doing those two things, I feel confident that keeping my 2FA in my most secure area is safe. There is minimal chance that someone is able to log in remotely to my 1password, even if they got my key, my password isn't written down.
The convenience of this is x1000, while the risk to me is negligible. It's why when I worked in fintech it was the manager of choice, and I recommend it for secrets in kubernetes. Until they prove me wrong, security is truly number one with them.
I love 1Password, they're great (I personally use Bitwarden for my passwords, but would happily recommend either of them). But by putting both your authenticator codes and your passwords in the same place, you now have a single point of failure. What happens if someone finds an exploit in 1Password that gives them access to your account? The whole point of 2FA is to not have a single point of failure.
I'll happily take that chance for the convenience. Even if 1password leaks, they don't have the keys to my vault. They would need my key and password to unlock it. The only time that isn't needed is if it's unlocked, which only is on my linux computer, which means they need to find an exploit with their app. In the 7 years I've used them I've never even heard a wiff of something even small happening.