2FA

Let me add to this excellent discussion, just one thing - consider the value (to you and a phishing attacker) of certain accounts. Identity proof: My email account has 2FA, but not stored in 1P. that protects my online identity. I cannot allow that to get phished. ever. (Its also more advanced than just TOTP, thanks MS new passwordless option.
Got Crypto? aka non-recoverable stuff ? state secrets? store/get/authenticate those TOTP/OTP only on a separate physical device.

Great questions and discussion though. its always good to re-think these.

Marc.

Thanks to rootzero and Former Member for your additional input! :smile:

kmtharakan I should start by saying that I keep most of my TOTP secrets in Authy and only store the ones in 1Password that I want to share with my family. However, I think it is perfectly safe to save them in 1Password and storing them separately doesn't protect against the most common type of attack, phishing.

If you login to a phishing site, 1Password should refuse to auto-fill the credentials, but you can force the login by copying and pasting the username, password and one time passcode. If you use Authy to generate the one time passcode, you will copy and past the username and password from 1Password and then manually enter the one time passcode from Authy. The result is exactly the same, the attacker has your username, password and a one time passcode that is valid for 30 seconds. They do not have the TOTP secret used to generate the one time passcode, so they need to use the one time passcode within 30 seconds or so.

The benefit of storing passwords and TOTP secrets on separate devices is that you are less vulnerable to malware on your device. However, most authenticator apps save your TOTP secrets unencrypted on your device and rely on application separation for protection. Whereas, 1Password encrypts your TOTP secrets with your account password and secret key. So comparison of the two approaches is not straightforward.

In my opinion, if you are using unique random passwords on each website and two factor authentication wherever it is available then you are more likely to lock yourself out than be the victim of a credential theft attack. So I agree with Former Member that most people are better off storing all their credentials in 1Password where they are backed-up.

I would make sure you have 2FA enabled on your 1Password account and I would avoid using Microsoft Authenticator. The TOTP secrets are stored in your Microsoft account and any one with access to your account can access them. If you have your phone number set as a recovery method then this leaves you open to SIM swap attacks. Authy encrypts your TOTP secrets with a key derived from your backups password, so it is not vulnerable and you can use it to secure your Microsoft account.

Jack's (and Blake's) answer is written from the 1Password point of view. Now let's look at the attacker's point of view.

The common attacker is trying to phish credentials and steal them in great amounts by hacking big internet services and stealing their user databases. He might even manage to get some trojan keylogger on your computer. He is going for millions of accounts, using automated tools to hack accounts on servers.

If you fall for a phish, become victim to a keylogger or your user data is stolen from some service, the attacker gets userid and password as worst case. What he will not get by this means is the secret 2fa code that is used to generate the OTP tokens, even if it is stored somewhere on your computer or in your personal password database. He might phish one OTP (that expires after 30 seconds), but he will not get the secret used to generate OTPs. This is never asked, never stored in server account databases, you will never expose it while being phished, and a keylogger isn't able to grab it, because you never copy it into the clipboard - it just sits silently in the OTP generator.

As long as you are not a directly (personally) targeted victim, as long as you are only subject to anonymous mass hacking, your OTP secret will never be extracted from the (encrypted) depths of the local 1Password database. This requires a quite customized attack, and since 1Password is (unfortunately) not a market leader with 80% market dominance, nobody will create hacking tools mass targeted to 1Password, because the expected return is tiny compared to all the other people who don't use 1Password and 2fa in the first place.

So it's reasonably secure to put all eggs into the same basket and store the OTP secrets with 1Password. If you are a VIP with accounts so valuable that individual hackers will target you personally, you should store your 2fa secrets on different devices, but if you are the ordinary anonymous user, just put them into 1Password.
It also acts similar to a backup, since they are cloud stored. If you store the codes within some smartphone authenticator app only, and the smartphone fails, you have a problem. Having them in the cloud even kind of improves security, because it's more difficult to lose them.

Personally, I have the codes in Microsoft authenticator as well as in 1Password. I need the authenticator app anyway, because I have a Microsoft account, and I duplicated the codes over both. Sometimes it is more convenient to use the authenticator app if the code only is asked, sometimes it is more convenient to use 1Password for the code, so I use them accordingly.

Hey kmtharakan:

Great question! What my colleague Blake wrote here is a fantastic answer as to why, as well as has some additional discussion about this very topic:

Short answer: I would recommend keeping your 2FA codes within 1Password. Then focus on keeping your 1Password account secure (i.e. don't share your Master Password with anyone or anything). To that end, if you're feeling fancy, you can enable two-factor authentication on your 1Password account, keeping the convenience of having your 2FA codes autofilled by 1Password and restoring the true two-factorness.

Slightly longer answer: The most important part of securing your online accounts is using strong, unique passwords for each sites (for which 1Password is perfect). The next most important part is code-based 2FA, which brings two main advantages:

• "One-timeness" - a password is the same every time you use it, meaning if it's compromised in transit (like if you're on a non-HTTPS site and an unsecured WiFi network), it's useful to a potential attacker until you change it. The one-time passwords of 2FA change every 30 seconds following a pattern only you and your authenticator app know, so a potential attacker intercepting your network traffic now has an extremely limited window of usefulness on the captured information.

• "Second factor" - If you keep a password for an account on one of your devices, and only sign in to that account on that device, while your 2FA codes are stored on a separate device, you have a true second factor. A potential attacker would need both devices to access your account, hence the two of two-factor authentication.

TL;DR? Keeping your 2FA codes with your passwords in 1Password removes the true second factor aspect of 2FA. But it retains the one-timeness, which makes the theoretical "weak link" your 1Password vault. Which is a pretty sweet weak link, if you ask me. 😉

If you're up for a more in-depth read on this particular topic, our very own Head of Security, @jpgoldberg covers this pretty well over on this blog post.

If you've got any further questions, let me know and I'd be happy to help you out!

Jack