Password & TOTP via 1Password, or separate them for maximum security?

Spythe
Spythe
Community Member
edited July 2017 in Lounge

Hey guys,

I've used Authy for a long time as my TOTP (Time based one time password), but it annoyed me when I was working on my Mac I had to grab my iPhone for the TOTP. I recently learned that 1Password features TOTP as well and can fill in your username & password while copying your TOTP to the clipboard in a single click. It's so easy and having everything secured and set with a single application, 1Password, is the best there is... is it?

I don't own a tin foil hat (but a paper boat do!), but I'm rather curious than worried that having your password & 'TwoFactor Authentication' at the same spot reduces security. For example, two factor authentication by SMS was a second layer of security that in case your password (i.e. 1Password masterpass) was stolen, one could't still access your account unless they had access to the second layer (i.e. your phone SMS). However, when the hacker in question breaches your 1Password vault and you store your password and the TOTP there as well, the whole idea of a second layer of protection flies away like the dust in the wind.

This wouldn't be the case if you'd had separate security applications, such as 1Password for your password and a secondary application for your second factor of authentication. Again, I'm rather curious than worried, but still wondering where storing your first and second layer of security in 1Password ranks 1Password itself on the security ladder.

This wouldn't be the case on iPhone with TouchID if someone would be able to compromise your fingerprint, as Authy and 1Password are both unlockable via Fingerprint, but if the only option were breaching/stealing passwords, a hacker has two tasks with separate applications, instead of a single job which results in access to everything.

Feel free to discuss and share your opinion or advice. I'm eager about the do's and don'ts concerning two factor authentication and TOTP applications.

Update: I learned, just a minute ago, that Authy released a desktop minutes/hours ago. Doesn't change the course of this discussion, however.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @Spythe

    Thanks for taking the time to write in with this curiosity. As with every trade-off between security & convenience it all comes back to a consideration of what threats you expect to face. Certainly the most secure information is that which is totally inaccessible to anyone, but that isn't very convenient is it? :)

    If the attack vector that you are concerned about is that of someone stealing your device and having access to your finger to unlock your device and apps via Touch ID, then you probably want to disable Touch ID altogether. In both of your example scenarios (1Password+Authy or 1Password+SMS) unless you've disabled Touch ID an attacker who has both your device and your finger is going to have everything they need to impersonate you. If you're concerned about this threat, but still want the convenience of Touch ID, you may want to consider wiping your phone remotely (iCloud can do this) if your phone is ever out of your possession.

    If instead the attack vector you're concerned about is a remote one (i.e. someone who doesn't have your device or your finger) having TOTP enabled but the secret stored in 1Password is probably a reasonable risk to take for the relative convenience offered.

    Personally I'm fairly confident in storing both the password and TOTP secret for accounts in 1Password. The former attack vector is much less of a concern for me. I work from home, don't use public transit, and generally am not one to lose/misplace my phone or to have it stolen (knock on wood). Even if I were to lose my device somehow, I can remotely wipe it. And I'm fairly confident a thief wouldn't be in a position to get my fingerprint. Were I truly targeted, and someone were to steal my phone and use the wrench method to get me to unlock it... yes, that would give them access, but that is a risk I'm willing to take. If they're going to beat me with a wrench I'm probably going to give them whatever they want anyway. :)

    Source: xkcd: https://www.xkcd.com/538/

    Ultimately it is a decision that each individual has to make for themselves.

    Does that help?

    Ben

This discussion has been closed.