undefined | Better HN

0 pointslnl5y ago0 comments

> you're back to 1 factor (your password manager master password)

That's only true if you are using an online service as a password manager, so the master password is the only thing protecting you. Not necessarily for offline password managers. E.g. in my case, I use Keepass that I never sync/store online, so even without enabling a website's 2FA, for many attack models I am effectively using 2FA: logging into the website requires both something I have (a device with my Keepass database) and something I know (the password for my Keepass database). But without website 2FA those two factors then produce one single factor (the website's password) that is transmitted to log in, so enabling website's 2FA and storing it in Keepass makes it 2FA against even more attack models, i.e. attacks where it's not my password database that it compromised, but just that one password. So it's still a benefit.

If I ever feel the need to sync my Keepass database, e.g. on Dropbox; I could set a key file (that I transferred offline between my devices) in addition to the master password to preserve this 2FA aspect, so that even if my Dropbox password and Keepass master password were both compromised, they would still be useless without access to my devices that contain the key file. But I never had the need to use my password manager on a different device, so no syncing needed so far. In any case, I don't actually care about 2FA (when I enable 2FA, I actually do it to decrease security, not increase it, as I explained in my other comment), this 2FA is just a bonus of my not needing and liking online services.

0 comments

2 comments · 1 top-level

CrendKing5y ago· 1 in thread

In which case would attacker be able to compromise your password but not the 2FA code? Eavesdropping on an unencrypted channel would be one, but given how ubiquitous https is, it's hardly a concern.

Most likely there would be a breach on the site's database, where all password hashes, and the TOTP seeds are stored. In that case, having 2FA or not doesn't make any difference.

2FA is usually useful if the user is not confidence of the integrity of his login device, e.g. public library computer. If you are perfectly confident of your own device, there isn't really any point of having 2FA.

lnlOP5y ago

The only cases that I can think of are me doing something stupid, like posting my password somewhere public by mistake (e.g. using KeePass password auto-typing on comment field instead of password field, or pasting it in a wrong place if I am copy-pasting), or a phishing attack where I foolishly insist on copy-pasting my password when it doesn't auto-type. But even in those cases, 2FA would indeed be of very limited help since:

1) In the first case, chances are that I would realize this immediately and change my password, which I would have time to do as there is no actual attacker yet; only future opportunistic attackers. 2FA would be useful only if I not only pasted my password and 2FA code, but then not even realized it. Then 2FA might help since by the time anybody notices this, the 2FA code would be invalid.

2) In the second case, if the phishing attack is not real-time (i.e. attackers are just recording my credentials instead of immediately logging in in my place), 2FA would help since the 2FA they stored would be invalid when they tried using it. 2FA is less helpful in a real-time phishing attack; though having 2FA might still help since changing my login credentials would presumably require another 2FA code so at least they can't lock me out (unless they can convince me that I need to enter another 2FA code, which I guess is possible if I was absent-minded enough to fall for it in the first place).

In any case, I don't worry much about these scenarios and I agree with you about 2FA, that's why I don't usually bother with it except in cases where websites freak out because I keep logging in from foreign IPs with no cookies. Then 2FA is useful because it makes the website trust my login, at no additional inconvenience to me as KeePass auto-types 2FA code just like my password, so I don't mind enabling it when I can.

j / k navigate · click thread line to collapse