"you can save your two-factor authentication codes.... in 1Password" is dangerous

ToniMaroni
ToniMaroni
Community Member
edited January 2023 in Lounge

You can... but should you?
This means you store both factors in the same place; if one is leaked, the other is leaked too. I don't get why 1pwd insists on this dangerous idea. Convenience is one thing, but not even warnings that this is a bad idea.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Referrer: forum-search:"you can save your two-factor authentication codes.... in 1Password"

Comments

  • Ben
    Ben

    Hi @ToniMaroni

    We've blogged about our thoughts on this subject here:

    TOTP for 1Password users

    That may help give some insight. Ultimately it is of course your discretion whether you use this feature or not based on your threat model. If you have additional questions or comments we'd be happy to further the discussion. 🙂

    Ben

  • TambourineMan
    TambourineMan
    Community Member

    Some websites/services mandate TOTP but it's mainly for their protection (to reduce fraudulent use of their service?), not the user's. NordVPN is one example. I think I can use 1PW for sites where there is little risk to me and would appreciate the convenience.

  • ToniMaroni
    ToniMaroni
    Community Member

    @Ben @TambourineMan, it would be indispensable and effortless to warn the users when actively proposing to store the second factor in the same app. As a user, I want to feel safe when using it in daily situations where my attention can't constantly be on the subject. Security is priority number one in a password manager.

  • TambourineMan
    TambourineMan
    Community Member

    @ToniMaroni @Ben
    This is just my first full day of using 1Password, but in my early trials I do not see that 1PW adds 2FA automatically. I have had to actively manage it adding that so it does more than warn me. I must tell it to do so.

    I use Google authenticator. It's possible that it works differently for other 2FA methods/mechanisms.

  • ToniMaroni
    ToniMaroni
    Community Member

    @TambourineMan, yes you have to actively add it after it encourages you to do so A security app should protect or advise me to not doing dangerous things by default

  • Ben
    Ben

    Storing your TOTP secret in 1Password is not dangerous.

    Ben

  • TambourineMan
    TambourineMan
    Community Member

    @Ben I agree it's not dangerous. And it is very convenient for logging in, especially when used on a desktop. It also makes it easier to use on a new device as while the Google authenticator allows export and import since it would be in the the 1PW app so it saves a step. The only problem for me is that I have an older Galaxy Watch 3 and I doubt there are or will Tizen apps available for 1PW or authenticators.

  • ToniMaroni
    ToniMaroni
    Community Member

    is it more secure to store the second factor on a second device? yes
    does 1pwd encourage that? no.

    end of the story

This discussion has been closed.