undefined | Better HN

0 pointsjw12244y ago0 comments

1Password’s 2FA OTP auto-fill is such a blessing.

It saves me so much time compared to how I used to have to do it — pull out phone, unlock, open Authy, wait forever for it to load, type in code, put phone away…

It’s the little things that all add up. I’m very happy with 1Password — been using it for 10 years, and happy to subscribe, considering it’s probably my most-used utility app.

0 comments

8 comments · 2 top-level

andrecarini4y ago· 4 in thread

> 1Password’s 2FA OTP auto-fill is such a blessing.

Until your vault is somehow compromised and your second factor is no longer distinct from the first one...

mdaniel4y ago

I am cognizant of this risk, and assume it, because security is always a spectrum between Secure and Convenient. If I had to pull out my phone every time I wanted to use 2FA, I for sure would not be so liberal to turn it on for all the "low value" properties the way I do now

I have never even _heard_ of someone having their 1P master password compromised and the vault(s) exfiltrated (although I grant you it could be just because the NSA doesn't write blog posts about their pwn2own victories)

It's my recollection AgileBits is also running (that is: currently) a CTF with a publicly exposed vault, so folks can test the resilience against attack for themselves

andrecarini4y ago

> I am cognizant of this risk, and assume it, because security is always a spectrum between Secure and Convenient.

Absolutely. But also, in such setup, the security benefit of 2FA/OTP codes are negligible at best since there are no conditions under which only one factor could be compromised without also having the other factor leaked (assuming you're using unique passwords for each identity, which is the entire point of a password manager).

However, I suppose it could be used for bypassing the inconvenience of mandated 2FA scenarios (to the dismay of your company's security team).

3 more replies

Spivak4y ago

If my password vault is compromised it's game over anyway. There's enough access in there to remove the 2FA on all of my accounts even if you didn't have the codes. There's no way I'm giving up breakglass access and risking locking myself out of my accounts permanently or while I'm on road if I lose my phone.

The point of using 2FA for me is to protect me against my password being compromised since it's a long_lived access key.

andrecarini4y ago

I believe there's barely no benefit to setting up a TOTP 2FA for those accounts if you're going to store the backup codes/token seed along with the password in the same vault.

> If my password vault is compromised it's game over anyway.

There are ways you could make a vault compromise not mean a complete/irreversible takeover, but that would either give up breakglass access as you say or add complexity and reduce availability.

> The point of using 2FA for me is to protect me against my password being compromised since it's a long_lived access key.

In which situations on your setup would a unique password compromise not imply there's also been a TOTP token/seed compromise?

mvanbaak4y ago· 2 in thread

Authy has a desktop app :)

FabHK4y ago

And Authy has an Apple Watch app, btw, that's very nice. Put it on the bottom button, and 2FA is fast and pretty convenient.

mvanbaak4y ago

TIL that it can be even easier. Thanks!

j / k navigate · click thread line to collapse

0 comments

8 comments · 2 top-level

andrecarini4y ago· 4 in thread

> 1Password’s 2FA OTP auto-fill is such a blessing.

Until your vault is somehow compromised and your second factor is no longer distinct from the first one...

mdaniel4y ago

It's my recollection AgileBits is also running (that is: currently) a CTF with a publicly exposed vault, so folks can test the resilience against attack for themselves

andrecarini4y ago

> I am cognizant of this risk, and assume it, because security is always a spectrum between Secure and Convenient.

However, I suppose it could be used for bypassing the inconvenience of mandated 2FA scenarios (to the dismay of your company's security team).

3 more replies

Spivak4y ago

The point of using 2FA for me is to protect me against my password being compromised since it's a long_lived access key.

andrecarini4y ago

I believe there's barely no benefit to setting up a TOTP 2FA for those accounts if you're going to store the backup codes/token seed along with the password in the same vault.

> If my password vault is compromised it's game over anyway.

There are ways you could make a vault compromise not mean a complete/irreversible takeover, but that would either give up breakglass access as you say or add complexity and reduce availability.

> The point of using 2FA for me is to protect me against my password being compromised since it's a long_lived access key.

In which situations on your setup would a unique password compromise not imply there's also been a TOTP token/seed compromise?

mvanbaak4y ago· 2 in thread

Authy has a desktop app :)

FabHK4y ago

And Authy has an Apple Watch app, btw, that's very nice. Put it on the bottom button, and 2FA is fast and pretty convenient.

mvanbaak4y ago

TIL that it can be even easier. Thanks!

j / k navigate · click thread line to collapse