Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
2FA
I've been told that I should use a third-party app like Authy for 2FA authentication instead of leaving that in 1Password as well.
i.e., don't leave all of your eggs in 1 basket.
Can someone tel...
kmtharakan I should start by saying that I keep most of my TOTP secrets in Authy and only store the ones in 1Password that I want to share with my family. However, I think it is perfectly safe to save them in 1Password and storing them separately doesn't protect against the most common type of attack, phishing.
If you login to a phishing site, 1Password should refuse to auto-fill the credentials, but you can force the login by copying and pasting the username, password and one time passcode. If you use Authy to generate the one time passcode, you will copy and past the username and password from 1Password and then manually enter the one time passcode from Authy. The result is exactly the same, the attacker has your username, password and a one time passcode that is valid for 30 seconds. They do not have the TOTP secret used to generate the one time passcode, so they need to use the one time passcode within 30 seconds or so.
The benefit of storing passwords and TOTP secrets on separate devices is that you are less vulnerable to malware on your device. However, most authenticator apps save your TOTP secrets unencrypted on your device and rely on application separation for protection. Whereas, 1Password encrypts your TOTP secrets with your account password and secret key. So comparison of the two approaches is not straightforward.
In my opinion, if you are using unique random passwords on each website and two factor authentication wherever it is available then you are more likely to lock yourself out than be the victim of a credential theft attack. So I agree with Former Member that most people are better off storing all their credentials in 1Password where they are backed-up.
I would make sure you have 2FA enabled on your 1Password account and I would avoid using Microsoft Authenticator. The TOTP secrets are stored in your Microsoft account and any one with access to your account can access them. If you have your phone number set as a recovery method then this leaves you open to SIM swap attacks. Authy encrypts your TOTP secrets with a key derived from your backups password, so it is not vulnerable and you can use it to secure your Microsoft account.
