Vishnu HaridasMy argument is that the practice of storing TOTP in the password manager app undermines the very essence of two-factor authentication (2FA) and is essentially "1FA" in disguise.
Eduard-Cristian Boloศ ๐ท๐ด๐ช๐บ@vishnuharidas I only partially agree with your argument. I see it more like "1.5FA", as it's way more likely that your password gets leaked by some random website than having your password manager compromised (well, as long as you don't use LastPass). So having your TOTP stored in the pw manager will still protect you, and it's better to do this than having no 2FA at all. But it's important to have a unique password for the pw manager app.
@EdyBolos one scenario is when you left the computer unattended for a while and the pwd manager is unlocked during this time. Another scenario is someone getting access to the pwd manager itself via a stolen master password (phishing/keylogger/etc.) - a possibility that canโt be ruled out.
Getting access to the box where **both keys are stored** is what I am worried about. So keeping one key in a separate box with a different protection mechanism and in another space is better IMHO.
@vishnuharidas I agree with you that it's best to have them separate. I'm just saying that for most folks having their pwd manager compromised is less likely, so between not setting any 2FA due the inconvenience and using the pwd manager for it, the latter is better, although not the best.
I think that security doesn't have to be all or nothing, but rather based on levels of risk appetite. I would love to get into a lengthier discussion, but a microblogging app is not good place for nuance ๐
I think that security doesn't have to be all or nothing, but rather based on levels of risk appetite. I would love to get into a lengthier discussion, but a microblogging app is not good place for nuance ๐