Mastodawn

Joe Brockmeier (@jzb)Sep 23, 2024

Authenticating to a website, 2010: Type in username and password

Authenticating to a website, 2024:
- Type in username
- Look up 20-character password in password keeper
- wait
- Prompt for 2FA token
- Dig out phone
- Unlock phone
- Scroll through 50 services to find 2FA token for website
- Type in 2FA token
- Success
- Receive email alerting you to the fact you've logged in
- Six weeks later: receive email telling you service had been compromised eight weeks ago and you must change password.

solo Sep 24, 2024

@jzb tbh I hate services forcing 2fa on you when you don't need it, so I just store my 2fa codes in bitwarden. yes, it makes it not actually 2fa. no, I don't care.

@solonovamax @jzb It's still beneficial. There are a couple things i don't keep in Bitwarden but most of it i do. I guess i could separate them out but it seems so tough given how 2fa works.

solo Sep 24, 2024

@winterayars @jzb yeah if it was smth where I really cared about the security I'd use actual 2fa

Oliver Jensen Sep 25, 2024

@solonovamax @winterayars @jzb arguably it's still 2fa (assuming you 2fa into your pw manager)

The second factor is something you have: you're using the device from which you 2fa'd into your password manager.

solo Sep 25, 2024

@ojensen @winterayars @jzb I'm not using 2fa for my password manager lol (tbh I prob should, but, inconvenient)

so it's not really 2fa

Oliver Jensen Sep 25, 2024

@solonovamax @winterayars @jzb ok so I'm going to disagree *hard* with the idea of not 2fa'ing into your pw manager. For real, you should set that up right now.

It's not inconvenient, you do it like once every 30 days or something.

solo Sep 25, 2024

@ojensen @winterayars @jzb my password manager logs me out after like 30 mins
I also use a unique & long password for it that I don't use anywhere else

Joachim Jablon Oct 3, 2024

@solonovamax @ojensen @winterayars @jzb (you mean lock or logout ? If lock, bitwarden doesn't request 2FA on unlock (unless you request it specifically). If logout... why ?

winter Sep 25, 2024

@ojensen @solonovamax @jzb I definitely have 2fa on my password manager and recommend it. I don't make it ask every time but it's on there.

David Zaslavsky Sep 30, 2024

@ojensen @solonovamax @winterayars @jzb There's a still a single point of compromise for the login to the website, i.e. the password stored in the password manager. If someone were to get their hands on that password, it'd be completely irrelevant whether you have 2FA on the password manager. But on the other hand, in order to have a meaningful discussion about how much of a problem that is, you'd have to go beyond the heuristic of "2FA is good" and actually start considering threat models and such, and I imagine for all but the most important websites you'd probably arrive to the conclusion that it's almost as good as the website offering 2FA itself anyway, so I guess I have talked myself into agreeing with you in spirit 😛

solo Sep 30, 2024

@diazona @ojensen @winterayars @jzb I think they're assuming that the password manager is using 2fa in this scenario

so, the points of failure would be the password used for the password manager + the 2fa device used for the password manager

David Zaslavsky Sep 30, 2024

@solonovamax @ojensen @winterayars @jzb Yeah that's the situation I was talking about too - the password manager itself requires 2FA to unlock it, but the website does not. Getting into the password manager has two points of failure, but getting into the website has one (albeit a difficult one).

solo Sep 30, 2024

@diazona @ojensen @winterayars @jzb if it's 32 characters including random numbers & letters (which is what I use by default) then they're not getting in before the heat death of the universe, so

David Zaslavsky Sep 30, 2024

@solonovamax @ojensen @winterayars @jzb They're not guessing it by brute force before the end of the universe, sure, but there are other ways to acquire a password. (MITM attacks, various sorts of compromise on the server side, etc)

solo Sep 30, 2024

@diazona @ojensen @winterayars @jzb

mitm: if the site is not using ssl/tls, I'm sure as hell not entering any password data into it
website compromised: 2fa wouldn't solve this either. the website has been compromised.