undefined | Better HN

0 pointsXavdidtheshadow5y ago0 comments

This isn't quite true. 2FA still protects you from password breaches (and weak passwords, though you shouldn't have those if you're using a password manager).

Also, keeping 2FA codes in a syncable password manager is a huge boon for people who ever break/lose phones. Can't tell you how many people get locked out of their accounts because they lose their 2FA codes.

As an alternative, companies have to have a 2FA-reset process. The fact that such a system exists weakens the entire system, which is too bad.

0 comments

2 comments · 1 top-level

Ajedi325y ago· 1 in thread

TOTP-based 2FA wouldn't protect you against a password breach, since the breach would most likely include the TOTP seed alongside any password hashes.

WebAuthn-based 2FA would; but AFAIK there isn't really a way to store WebAuthn keys in password managers at the moment.

mdaniel5y ago

I was curious about that, so I looked into it; KeePassXC is having some mixed messages about it:

https://github.com/keepassxreboot/keepassxc/issues/1870 says "awesome!"

https://github.com/keepassxreboot/keepassxc/issues/1996 says "go away"

and I can't figure out what is going on with https://github.com/keepassxreboot/keepassxc/issues/3560

They reference https://github.com/kryptco/kr-u2f in one of the issues, but it was bought by Akamai and the code was never under an open source license to begin with :-(

j / k navigate · click thread line to collapse