Watchtower Score + MFA

Sorry to drag up old threads - but this message from Lastpass (where I've come from) makes me a lot happier MFA tokens were never stored in their service (and also alarmed it increases the watchtower score).

With over 50 TOTP codes, this would be a nightmare (assuming not already compromised!)

```
Task 4.3: Using the LastPass Authenticator to store additional TOTP codes

If you are using the LastPass Authenticator to store TOTP codes for applications other than access to your LastPass vault (e.g. LinkedIn, Facebook, etc.) AND you have “Save accounts to the cloud” enabled, the TOTP seeds used to generate the six-digit TOTP codes in your LastPass Authenticator are backed up to your LastPass vault using zero knowledge.
If you determined via Topic 1 and Topic 2 that either your master password strength or iteration count were insufficient, you may want to consider the following:

Log in to the application using the existing TOTP codes from your LastPass Authenticator.
Temporarily disable the 2FA/MFA configuration.
Delete the TOTP entry in your LastPass Authenticator (instructions here).
Re-enable 2FA/MFA configuration in the application, which will enable you to re-enroll your LastPass Authenticator.

```

Hey there @McJoppy

Does adding MFA tokens to 1Password [...] increase or decrease as tokens are added?

Your Watchtower score goes down a bit for each item that could use two-factor authentication but isn't. Resolving that will remove that "penalty" for lack of a better word. Having multiple tokens won't make a difference – it's about whether two-factor authentication is turned on for that Login item or not.

Given the 'something I know' and 'something I have' concept of MFA, it seems strange that MFA tokens are offered to be stored in a password manager.

Without getting totally tangled in a mess of semantics, one could say that if you're using strong, randomly-generated, passwords for your online accounts, those passwords aren't "something you know" anyway! 😄 The only "something you know" should be your 1Password account password, and you shouldn't need to remember anything else. The passwords for your online accounts become more of a "something you find" instead.

The "something you have" in this case is your 1Password data, which can only be obtained with your email address, Secret Key, and account password.

Let's consider a similar example: your contacts on your phone. In that case, in order to access them, the "something you have" would be physical access to the device itself (ignoring cloud sync for this hypothetical example), and the "something you know" would be the passcode, PIN, or gesture to unlock the phone. Even if I know how to unlock your phone, it's useless without the phone itself.

When using 1Password as the authenticator for your Logins, the "something you have" is access to your 1Password data on one of your devices, and the "something you know" is your account password. It's a similar paradigm, but abstracted out one layer, essentially. One is still useless without the other:

Don't have, don't know — No access to device with 1Password signed in + no account password = no access to unencrypted data
Do have, don't know — Access to device with 1Password signed in + no account password = no access to unencrypted data
Don't have, do know — No access to device with 1Password signed in + known account password = still no access, because Secret Key is required
Do have, do know — Access to device with 1Password signed in + known account password = access granted

The Secret Key is required when signing in to 1Password.com or signing in to your 1Password account on a new device, which renders attacks like we've seen lately infeasible against 1Password customers – we're built differently.

I hope that answers your question fully, but please do let me know if I can be of any further help. :)

— Grey