đđȘđłđŹThe OTP you want to use was already used
infinitevalenceNo and stop using SMS itâs not secure.
andreluis034Although itâs true that you are increasing the attack surface when compared to locally stored OTP keys, in the context of OTPs, it doesnât matter. It still is doing itâs job as the second factor of authentication. The password is something you know, and the OTP is something you have (your phone/SIM card).
I would argue it is much worse what 1Password and Bitwarden (and maybe others?) allows the users to do. Which is to have the both the password and the OTP generator inside the same vault. For all intents and purposes this becomes a single factor as both are now something you know (the password to your vault).
RehwynArguably, if you use 2FA to access your passwords in 1password, thereâs little difference between storing all your other OTPs in 1password or a separate OTP app. In both cases, since both your secret passwords and OTPs are on the same device, you lack a true second factor. The most likely way someone would gain access to 1password secured with 2FA is if they control your device and itâs been compromised, and having your OTPs separated wouldnât provide additional protection there. Thankfully, the larger benefit of OTPs for most people is that they are one-time-use, not that they originate from a second factor.
There is one theoretical situation I can think of where having your OTPs and passwords separate could be an advantage, and thatâs if someone gained all your 1password login details, including the 2FA secret key. But for someone able to gather that much sensitive intel, Iâm not sure how much more of a challenge an authenticator app would be.
If you truly feel you need a second factor though, youâll probably want to look at something like a Yubikey or Titan. Iâve considered getting one to secure my 1password vault to reduce the risk of a lost phone being compromised.
LUHGGet it. Stop procrastinating;-)
Arguably, if you use 2FA to access your passwords in 1password, thereâs little difference between storing all your other OTPs in 1password or a separate OTP app. In both cases, since both your secret passwords and OTPs are on the same device (your phone), you lack a true second factor. The most likely way someone would gain access to 1password secured with 2FA is if they control your device and itâs been compromised, and having your OTPs separated wouldnât provide additional protection there. Thankfully, the larger benefit of OTPs for most people is that they are one-time-use, not that they originate from a second factor.
As you said if you have both the password manager and the OTP manager in the same device it goes against the concept of 2FA, and you can throw most of guarantees out the window.
I think one distinction worth making is that the encrypted vault itself is still only protected by one factor, the password. The OTP 1Password asks you is part of their service authentication mechanism. If for some reason the attacker manages to get an encrypted copy of your vault (Via App cache, Browser add-on cache, mitm, 1Passwordâs servers, etcâŠ), âallâ the attacker needs is to brute force your password and they can access the contents (Password and OTP seeds) of the vault without requiring the TOPT token. Yes you can mitigate this with a good password/passphrase, but as GPUs/CPUs get faster will that password continue to be good enough in few years time? If your master password becomes âeasilyâ brute forceable, now the attacker has access to all of your accounts because you had the password and OTP seeds in one vault.
If you truly feel you need a second factor though, youâll probably want to look at something like a Yubikey or Titan. Iâve considered getting one to secure my 1password vault to reduce the risk of a lost phone compromising my vault.
I have one, but unfortunately the amount of services that support U2F as a 2FA mechanism is relatively small and if you want to talk about FIDO2 passwordless authentication even less.