However, storing them there a) makes them easier to use (CTRL+L, CTRL+V as above) b) makes them always backed up and available to you c) is always better than not using TOTP at all. There is, undoubtedly, a small security tradeoff with storing your TOTP codes alongside your passwords in your password manager. If you change phones, you can manually transfer those codes these days, assuming that you still have access to your old phone, but it’s a monumental hassle to switch otherwise. Lose your phone with Google Authenticator installed, and you lose your codes. Both are being stored on the same device, just like your password manager would. If you’re storing your 2FA code using Google Authenticator or Authy on your phone, and your password is saved on your phone, then you’ve no two-factor authentication anyway. It’s much better than having nothing at all, of course: but it’s not quite as secure.
That might be visible on my mobile phone’s lockscreen, or my SIM card could be cloned and used elsewhere. Many people, like Google or the government, text a code to your mobile phone when logging in. Storing them in your password manager is probably as safe, or even safer, than using your phone It doesn’t matter whether it’s on a physical key, in a password manager, or anywhere else: it means that if a thief has access to your bank username and bank password, they still can’t get in without your TOTP code. It’s still a TOTP code, and thieves still can’t get in without it. If you store your code with your password, nothing changes here. It changes every thirty seconds, and is based on having an accurate clock on my device. Logging into your bank using TOTP, like the 410192 code above, is a Time-based One Time Password. (I have two physical keys: one which I carry with me one which is locked up somewhere safe). So the 410192 above is still acting as 2FA: without my physical presence, you’re not getting into my Bitwarden account, and without that, you’d not have learnt my 410192 code. That’s 2FA right there: without the physical key, you cannot get into my Bitwarden account. To sign into Bitwarden (on a new machine), I need my username, my password, and a physical key (I use a Yubikey). You lose all the advantages of two-factor authentication. If you store your code with your password, clearly that doesn’t make it two-factor authentication any more. It’s often summarised by saying “something you know (a password) and something you have (a physical thing)”, with the physical thing being used, in most cases, to give you a code like 410192 above. Logging into your bank using 2FA uses two-factor authentication. Is this madness? Or a good life choice? What 2FA is
0 kommentar(er)
