Technically, perhaps. Pragmatically, not really.
This was in response to a recent article discussing how I found that my password vault — 1Password — was capable of replacing Authy as my second factor. (Authy is discontinuing PC support, whereas 1Password works everywhere.)
Very technically, yes, your security may be slightly decreased. I don’t consider that amount to be sufficient to side-step the convenience. In fact, there’s a possibility that it might be more secure than using Authy desktop.
Your concern is based on an exceptionally unlikely event.
Become a Patron of Ask Leo! and go ad-free!
2FA stored in your password vault
Storing 2FA codes in your password vault alongside passwords slightly reduces security, but the risk is minimal compared to the convenience. Compromising 1Password such that your information would be visible is extremely unlikely. Using a password vault for both passwords and 2FA might even be more secure than using separate PC apps like Authy.
The concern
Your question is centered on a very improbable occurrence: “If 1Password is compromised.”
Compromising 1Password isn’t likely enough for this to be an issue. Remember, your data is inaccessible to 1Password. They can’t see your passwords or two-factor tokens at all, and thus anything stolen in a breach would be unusable to the thieves1.
A hacker would need to not just compromise 1Password but then use that compromise to surreptitiously make changes to the 1Password software that would allow them to exfiltrate passwords directly from users’ machines. That’s the only place passwords are ever visible.
I’m more than satisfied that a 1Password breach is extremely unlikely. That a breach would allow the hacker to modify 1Password code without anyone noticing is even more implausible.
So, from my perspective, we’re talking about an unlikely event that relies on another extremely unlikely event for this scenario to play out.
Possible? Sure. Anything is possible. I’ll talk about that in a second.
So someone walks up to your computer
Consider this scenario: you’re using 1Password as both your password vault and to store your two-factor authentication tokens.
Say someone walks up to your machine while you’re not looking. They would have to know either your 1Password master password or your Windows Hello PIN (or have your face or fingerprint) in order to access what you have stored in 1Password. (You can configure 1Password to lock itself in as short as one minute after its last use, at which point it requires sign-in again.)
Both your passwords and two-factor tokens are secure.
Now consider this scenario: you’re using 1Password as password vault and Authy for your two-factor authentication tokens, and someone walks up to your machine again.
Same requirement for 1Password: master password or PIN to get in.
Authy, on the other hand, is just there. Simply accessing your PC allows your visitor to see the two-factor tokens stored in Authy.
This makes the 1Password-only solution arguably somewhat more secure.
Besides, hackers have easier approaches
Most account hacks happen via one of two vectors.
- Phishing. I’d guess this is the most common and successful technique these days. An email directs you to sign in at a sensitive site, like your bank. Of course, it’s not your bank at all, but a fake clone set up by the hacker. When you “sign in” to the fake site, you’re handing over your username and password to the hackers.
- Attachments. Attachments carrying malware are likely #2. The malware more commonly targets your browser, or even your specific bank, rather than trying to finagle something with your password vault. As you sign in to your (real) bank later, the malware slurps up the username and password once again.
Two-factor authentication prevents these approaches from being successful I’d say over 99% of the time. That’s why I harp on it so much. Yes, the hacker may have gotten your username and password, but they won’t have your second factor. Rather than expend more energy on you, they’ll move on to someone else who is less security-conscious.
Security starts with you
As I said above, your passwords are decrypted and visible only on your machine. So for this to ever be a problem, your machine needs to be compromised in some form already.
That’s always been true. Malware can do anything. So anything stored on your machine is technically at risk if you allow malware on your machine.
The good news is that this is an extremely complex and uncommon vector for malware to take. There are easier ways for hackers to get your information.
Related
Why ANY Two-Factor Is Better than No Two-Factor
Headlines are proclaiming that two-factor authentication has been hacked. That in no way means you shouldn't use it. Your account is still much safer with two-factor enabled.There’s no such thing as perfection
One of the things I hate about presenting information like this is that I can’t speak in absolutes. I can’t say “Do this and I guarantee you’ll be absolutely safe.” Security is a spectrum. Anything is possible. There are no absolutes.
Our job is to strive to be more secure to the point where we get to a pragmatic level of “secure enough”.
If you are a high-value target, then “secure enough” is different for you than the average person. Someone could target malware specifically designed to exfiltrate your password vault’s database from your machine the next time you unlock it. That would be difficult and time-consuming, which is why I say you’d have to be a high-value target to be worth the effort. And you’d have to let your guard down long enough for the malware to make it onto your machine.
If you’re a high-value target, then generic security advice from the internet isn’t for you. You need stronger solutions from security professionals.
For the rest of us, though, making it easy to enable and use two-factor authentication is the key. Having that all wrapped up in a single application you may already be using that’s designed from the ground up to be secure works for me.
Do this
Use two-factor authentication. Everything else is refinement.
If you don’t like the thought of having your two-factor codes in your password manager, then don’t. Use a separate app. In my opinion, you might be infinitesimally more secure at the cost of some convenience.
Given that convenience keeps many from considering 2FA, I’m more than happy to recommend having it all bundled in with my password manager.
It’s what I do myself.
Want more clarity about technology and security? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
Footnotes & References
1: Honestly, this is the saving grace that kept the LassPass issue from being worse. Same architecture: whatever was stolen could not be used to retrieve users’ passwords.
“Two-factor authentication prevents these approaches from being successful I’d say over 99% of the time.” Wouldn’t it be closer to 99.999%? Unless you are being personally targeted, the odds of a 2 factor hack are nearly zero.
I use Bitwarden, which also has an extension with the capability of being used for providing TOTP codes for two-factor authentication.
To log into my Bitwarden vault via the web interface or the desktop app requires two-factor authentication as well. In my case, the second factor is a Yubikey.
My understanding of how password managers function is that the providers have “zero-knowledge” of the vault contents, meaning that without the master password, everything stored in the vault is encrypted and inaccessible to anyone else.
Even if Bitwarden suffered a calamity breach as happened with LastPass, it would take a hacker an extreme amount computing power to crack my vault (I use a passphrase, not a password as the master password). Wouldn’t the theoretical hacker in this case get stymied because of two-factor authentication?
Some LastPass accounts did get cracked because LastPass didn’t push users to update their settings and those who adopted LastPass in the early days didn’t update their accounts in regard to the iteration settings, leaving it set at 100100 and not changing it to 600600, as later users were using.
Anyhow, I try to follow the practices I’ve learned here on Ask Leo! and elsewhere to put as many barriers up as I find practical to work with as I can.
I abandoned Authy and moved all my 2FA TOTP use to my PC password manager, Bitwarden. I still have a couple sites in my phone’s Google Authenticator.
My next trick will be learning how to use Passkeys and storing them in Bitwarden too. I’m uneasy about tying Passkeys to devices like my phone or laptop but Bitwarden isn’t hardware, it’s portable so I can use Passkeys anywhere I can use Bitwarden.
For the more paranoid.
Put your login credentials into one password manager & put the OTPs into a password manager from a different provider.
Even if one is hacked & it turns out the password manager has some vulnerabilities (cough LastPass), the hacker will lack complete information.
The other option is to have the OTPs in a hardware form (where your risk is loss / theft of the key). If you have a situation where you share credentials with a partner/ spouse, hardware keys are less convenient than a password manager.
It’s important to have backups of all hardware keys in the same way it’s important to have backups of everything that can possibly be backed up.
Add me to the list of others who gets their 2FA codes via Bitwarden. Much easier and I use a passphrase as well.
I’m confused about the whole idea of storing 2FA tokens in my password manager. I use Google authenticator for 2FA. If I want to add a new account to the authenticator app, it scans a QR code supplied by the account and the account then asks for a 6-digit code from the app. Once that 6-digit code is accepted, then the app is able to provide similar 6-digit codes in the regular 2FA process. So what codes or tokens are we talking about storing in a password manager? Is it an image of the QR code? Surely it’s not the 6-digit codes, which expire after 30 seconds. Can someone explain what I would store in my password manager?
The password manager works like google authenticator: it scans the QR code. (Desktop versions look for QR codes on screen or clipboard).
Thanks Patrick, I would also like to better understand how to use 1Password for 2FA.
Ron
Roboform password manager also has 2FA capability, and it’s well implemented. When you enable 2FA in an app that you’ve logged into with Roboform, it automatically reads the supplied code and asks if you want to save it into that app’s password entry. Subsequent logins supplies the code automatically.