If the password manager and authenticator app are equally secure then storing passwords and TOTP secrets separately using different passwords reduces the risk of compromise.It just adds the PC or tablet to the "chain of trust" for your account on that website. Clicking the "Trust this device" when logging into a website so that you don't need to complete 2FA again doesn't mean you no longer have 2FA. You have true 2FA because the phone is "something you have" and it is not available to a remote attacker.Using it to store your password doesn't change the fact that it is a device under your control and doesn't make it available to a remote attacker. This protects your account from the vast majority of devices on the internet which are not part of this chain of trust. You use a device under your control to tell a website that it can trust a new device, that device gets added to the chain and you agree to keep it under your control. I think it more useful to think of 2FA as building a chain of trusted devices. We get hung up on the second part, but it is not essential to getting the security benefit of a TOTP-based authenticator app, as jpgoldberg points out in the following discussion: PCs and tablet on which I have 1Password installed) I do have true 2FA (because the authenticator app is not installed on these devices).Īlthough I don't have true 2FA on my phone there is marginal gain from using a dedicated authenticator app because it is protected by a different password to my 1Password Two factor authentication is often referred to as "something you know" and "something you have". Are they valid?įrom the perspective of accessing accounts from my phone I don't have true 2FA (because both 1Password and my authenticator app are installed on my phone).įrom the perspective of accessing accounts from my other devices (e.g. To help further my understanding, could you please comment on my statements below. 1Password and the authenticator app using different passwords. I also have 1Password installed on my phone. I have this installed on my phone but not elsewhere. I suppose the simplicity may outweigh any gains from using a dedicated authenticator app for 2FA with other accounts.Īt the moment I am using a separate authenticator app. I appreciate the argument that it may be better to focus entirely on the security of my 1Password account and store one-time passwords within my 1Password account. If you're up for a more in-depth read on this particular topic, our very own Head of Security, covers this pretty well over on this blog post. Which is a pretty sweet weak link, if you ask me. But it retains the one-timeness, which makes the theoretical "weak link" your 1Password vault. TL DR? Keeping your 2FA codes with your passwords in 1Password removes the true second factor aspect of 2FA. A potential attacker would need both devices to access your account, hence the two of two-factor authentication. "Second factor" - If you keep a password for an account on one of your devices, and only sign in to that account on that device, while your 2FA codes are stored on a separate device, you have a true second factor. The one-time passwords of 2FA change every 30 seconds following a pattern only you and your authenticator app know, so a potential attacker intercepting your network traffic now has an extremely limited window of usefulness on the captured information. "One-timeness" - a password is the same every time you use it, meaning if it's compromised in transit (like if you're on a non-HTTPS site and an unsecured WiFi network), it's useful to a potential attacker until you change it. The next most important part is code-based 2FA, which brings two main advantages: Slightly longer answer: The most important part of securing your online accounts is using strong, unique passwords for each sites (for which 1Password is perfect). To that end, if you're feeling fancy, you can enable two-factor authentication on your 1Password account, keeping the convenience of having your 2FA codes autofilled by 1Password and restoring the true two-factorness. don't share your Master Password with anyone or anything). Then focus on keeping your 1Password account secure (i.e. Short answer: I would recommend keeping your 2FA codes within 1Password.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |