Doesn't storing combined credentials and OTP in the same vault make me less secure or increase risk?

Greetings

As I'm talking with my users about password management, the topic of using the password manager as a means to store/use OTP has come up. What's been interesting to me about all of this is that while password management services are incorporating this functionality to include TOTP storage and implementation into their products, it fundamentally removes a big part of the security and separation out of the equation. I now combine something I know with something I have and store them in the same record.

Can the 1password team please help me understand how storing OTP in the same record as the login credentials is as secure (read: not as risky) as the traditional model of a separate application/location for the TOTP token?

Thanks!
Josh


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:2fa

Comments

  • Hi Josh,

    It will certainly be more secure to store OTP on a separate device. However, many users I know use apps like Google Authenticator on the same smartphone where 1Password app is installed. In this case, 1Password will be more secure because it encrypts the OTP secret..

    Jeffrey Goldberg wrote more on this in the blog post (see "Second Factor? No"):
    https://blog.agilebits.com/2015/01/26/totp-for-1password-users/

    I hope this helps!

  • Marten
    Marten
    Community Member
    edited February 2018

    I disagree slightly with that blog post when it comes to whether things are still two-factor.

    For instance, the Google authenticator app doesn't synchronize the secrets anywhere. So even if I also have 1Password on my phone, you'll still need to 1) have my phone and 2) know my 1Password password. This thing-to-have and thing-to-know is the basis of 2FA, and it seems like it's still intact.

    If you put the OTP secret in 1Password, an attacker can get access to them in the above way too. But, since 1Password syncs, there is now the additional vector of 1) know the account key, and 2) know the account password. This opens a vector where you need to know two things, rather than have a thing and know a thing. So I'd argue that this approach is less than two-factor.

    Neither feels as true a "two-factor" as a real hardware token, I'll concede that. And of course in practise people take backups of their phone (hopefully!), and if you do that to e.g. iCloud it means that the Google Authenticator data is also online (encrypted), in which case it's not really two-factor either (again, it's now turned into thing-you-know plus thing-you-know).

    I'm definitely not saying it's bad and unsecure! Personally I think the convenience weighs up against the slight downside and so I do use 1Password for this.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I disagree slightly with that blog post when it comes to whether things are still two-factor. For instance, the Google authenticator app doesn't synchronize the secrets anywhere. So even if I also have 1Password on my phone, you'll still need to 1) have my phone and 2) know my 1Password password. This thing-to-have and thing-to-know is the basis of 2FA, and it seems like it's still intact.

    @Marten: It's definitely a very nuanced issue...

    If you put the OTP secret in 1Password, an attacker can get access to them in the above way too. But, since 1Password syncs, there is now the additional vector of 1) know the account key, and 2) know the account password. This opens a vector where you need to know two things, rather than have a thing and know a thing. So I'd argue that this approach is less than two-factor.

    But that's like saying a safe is insecure because someone could potentially get the combination to it. And the fact is that there are still two distinct factors: the password you know, and the TOTP code which you definitely don't, as it changes continually.

    Neither feels as true a "two-factor" as a real hardware token, I'll concede that. And of course in practise people take backups of their phone (hopefully!), and if you do that to e.g. iCloud it means that the Google Authenticator data is also online (encrypted), in which case it's not really two-factor either (again, it's now turned into thing-you-know plus thing-you-know).

    Indeed, security isn't about how something "feels".

    I'm definitely not saying it's bad and unsecure! Personally I think the convenience weighs up against the slight downside and so I do use 1Password for this.

    Agreed, it's all about choices. For most people, having a TOTP secret stored in 1Password will not only be more secure than the alternatives (SMS, or unencrypted in another app) but also a pretty big win for avoiding data loss and/or getting locked out. Cheers! :)

  • rsimply
    rsimply
    Community Member

    Can the 1password team please help me understand how storing OTP in the same record as the login credentials is as secure (read: not as risky) as the traditional model of a separate application/location for the TOTP token?

    From my understanding. (Most secure to less secure.)

    1. Hardware token / U2F
    2. OTP on a physical security key (IE: Yubico Auth)
    3. OTP on another device / software.
    4. OTP on Password Manager or
    5. OTP on same device as Password Manager
    6. SMS 2FA
    7. Not using OTP
  • AGAlumB
    AGAlumB
    1Password Alumni

    I'm not sure it's really accurate to present it that way. It depends entirely on usage. As a practical matter, I'd still put SMS last because people behave more promiscuously when they believe that's secure, yet it's sent in the clear. But that seems like a reasonable "rule of thumb". Cheers! :)

This discussion has been closed.