undefined | Better HN

0 pointsWowfunhappy4y ago0 comments

A prompt on my phone and an app on my phone come down to the same thing, and I'm not interested in getting a physical hardware security key. The backup codes are one-time use, and there is no way I would keep track of a slip of paper for years without loosing it.

I could use my password manager (Bitwarden) as my TOTP generator, and I may eventually do that just to make all of these services shut up. But, wouldn't that leave my account no more secure than it already is today? It would effectively be single-factor authentication, since the password and the generator would be in the same place, protected by the same master password.

0 comments

3 comments · 1 top-level

brirec4y ago· 2 in thread

I’m not sure about Bitwarden, but 1Password requires quite a few pieces of information to log in on a new computer, because it derives the encryption key from both the hash of your password and the “Secret Key”. Effectively, it still IS 2FA, with the “something you have” factor being a device activated with the secret key and your 1Password OTP. If you don’t sign into your password manager on your computer directly this should be fine. But you do, of course, lose the ability to paste passwords.

WowfunhappyOP4y ago

But regardless of how the vault is protected, your password and your otp generator are both stored there, right? If you have access to one, you have access to the other. So, I don’t understand how requiring both to log in to Google improves security in any meaningful way.

jefftk4y ago

It's often much easier for someone to manage to get a copy of your password for a specific application than to get a copy of your unencrypted vault.

j / k navigate · click thread line to collapse