Should 2FA code generation be separate from 1PWD for better security?

slobizman
slobizman
Community Member
edited March 2021 in Lounge

I'm wondering if it's risky to use 1password for both passwords and 2FA codes for important websites. It is convenient, for sure, but when I think about sites like Coinbase or banks, I'm wondering if I should exclusively use a different 2FA Authorization app to display and manually key in the codes, rather than doing so from 1PWD. If I were to do this, then someone would have to hack into both 1password and the auth app.

Thoughts?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • [Deleted User]
    [Deleted User]
    Community Member

    @slobizman We've discussed this a number of times. The following thread is worth a read:

    https://1password.community/discussion/101714/why-is-it-a-good-idea-to-store-2fa-tokens-in-1password

  • slobizman
    slobizman
    Community Member

    Thank you.

  • ag_ana
    ag_ana
    1Password Alumni

    Let us know if you have any questions :+1: :)

  • 1pwuser31547
    1pwuser31547
    Community Member

    To add to that thread, the TOTP secret in an authenticator app, as I understand it, is stored unencrypted (by the app) versus in a password manager which of course is encrypted until you decrypt the database to generate the code. So there is a security benefit in storing it in a password manager.

    If you want to maximize the total security benefit of TOTP, including it's "2nd factor" properties, then:
    1.store the secret in a different database than your primary login credentials
    2.store the secret in a different device, encrypted with a different password than your password manager storing your log in credentials (decrypted on demand to generate the TOTP)
    3.store it in a device that's not exposed to the internet

    You can do this by storing the secret on a usb device like a Yubikey or Onlykey which will generate (and type or copy to clipboard) the TOTP code.
    The most convenient way is of course in an authenticator app.
    Perhaps, a compromise/middle ground would be to store the secret in a different password manager (with different master password).

    Of course, the TOTP algorithm is really not a 2nd factor but merely a 2nd password, a shared secret like your primary password with some other unique properties - it should be more accurately classified as "augmented" 2nd step authentication.

    If you REALLY wanted your to 2FA method to be more of a true 2 factor authentication method, you could set up an on-demand OTP, delivered by to a unique email address which is maximally protected by a long/strong password (generated in a password manager) AND U2F authentication.

    This email account should ONLY have as it's 2FA option the U2F method- no other method and the email should have no recovery options (no phone or alternate email recovery options) and of course no forwarding settings.

    So now you have your primary account, in effect, protected by U2F of the email account.
    There's no shared secret (on demand TOTP delivered to a U2F protected account) to be potentially exposed/stolen from you or the authenticating server. Of course the phishing protection is no different than if you generated the OTP yourself.

    For maximal security:
    1.The email should NOT be the same email linked to the account ,since that same email could be (maliciously) used for both password recovery and 2nd factor code delivery. This email should only exist for this 2FA reason.

    2.You should receive this TOTP code on a device (i.e, be logged into email) DIFFERENT from where you are authenticating with the primary password.

    1. Again consider whether you want the password for the email address in the same database as the password for the primary account, analogous to the TOTP secret- this could mean storing the credential in a different password manager, etc

    If the service only allows email delivery of the 2FA code to the email address on file then you'll have to decide if this is option is for you.

    If the service allows an on demand OTP to a phone number only and/or does not allow for a separate email address for OTP delivery, you could potentially have the TOTP code sent to a Google voice number, again linked to a different email address than the one on file, with all those same security properties previously outlined.

    Understand the pros and cons of each 2FA method and decide which is best for you.

    If avoiding the shared secret aspect of TOTP is most important to you then simply have an OTP sent to you by phone or email, making sure that these accounts are maximally protected (for example as above).

    If phishing protection is most important to you then U2F is best, assuming the service offers it , but also know that 1password autofill properties protects you against this as well.

    If you want to avoid the shared secret of TOTP while being on the further end of the TOTP "2nd factor spectrum" , but don't have U2F or push notification as an option and are confident that you won't get locked out of your primary account then you can consider what's outlined above.

    Most importantly, research these options carefully and discuss them with the primary service before implementing so you don't get locked out.

    Hope this helps.

  • williakz
    williakz
    Community Member

    @1pwuser31547 Thanks for taking the time to put all that down. Saved to disk for later (slow and deliberate) consumption.

  • [Deleted User]
    [Deleted User]
    Community Member

    @1pwuser31547 Some interesting thoughts, thanks. For those who don't want their TOTP 2FA secret stored on an internet connected device or the same device they use for 1Password, there are a number of hardware options. You mentioned YubiKey and Onlykey, there's also Token 2:

    https://www.token2.com/shop/category/programmable-tokens

  • 1pwuser31547
    1pwuser31547
    Community Member

    @williakz You're very welcome.

    @missingbits Thanks. I had never heard of Token 2- looks very interesting.

    If you haven't already, check out OnlyKey- very versatile. It can store and type multiple long passwords (among other things).

    I have my 1PW master password, secret key and work station passcodes stored on one of them . Since you don't have to type your password, you can make your password long and strong, maximizing security. You can also type an easy to remember prefix and have the complex part of the password stored on the key.

This discussion has been closed.