Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Isn’t Putting Two Factor Codes in My Password Vault Less Secure?

Technically, perhaps. Pragmatically, not really.

Storing 2FA codes in 1Password alongside passwords might slightly reduce security, but the risk is minimal, especially compared to the convenience.
A formidable fortress stands under a clear sky, its design a blend of medieval strength and modern mystery. The large, wooden door at the fortress's entrance is secured with a robust lock, symbolizing protection and secrecy. Above this door, a sign boldly proclaims "Passwords," hinting at the digital fortification concepts within. Emblazoned on the door is a shield, an emblem of defense and security. Beside the main entrance, a small, quaint ticket kiosk offers a juxtaposition to the fortress's grandeur. This kiosk sports a sign that reads "2FA," and another says "PASS", suggesting a modern, technological gateway requirement akin to two-factor authentication. The entire scene merges the aesthetic of ancient castles with contemporary cybersecurity themes, illustrating a unique intersection of the past and present security measures.
(Image: DALL-E 3)
Question: Surely having 2FA in 1Password along with your username/password is asking for trouble. If 1Password is compromised, the hacker then has login details and 2FA all set waiting for them.

This was in response to a recent article discussing how I found that my password vault — 1Password — was capable of replacing Authy as my second factor. (Authy is discontinuing PC support, whereas 1Password works everywhere.)

Very technically, yes, your security may be slightly decreased. I don’t consider that amount to be sufficient to side-step the convenience. In fact, there’s a possibility that it might be more secure than using Authy desktop.

Your concern is based on an exceptionally unlikely event.

Become a Patron of Ask Leo! and go ad-free!


2FA stored in your password vault

Storing 2FA codes in your password vault alongside passwords slightly reduces security, but the risk is minimal compared to the convenience. Compromising 1Password such that your information would be visible is extremely unlikely. Using a password vault for both passwords and 2FA might even be more secure than using separate PC apps like Authy.

The concern

Your question is centered on a very improbable occurrence: “If 1Password is compromised.”

Compromising 1Password isn’t likely enough for this to be an issue. Remember, your data is inaccessible to 1Password. They can’t see your passwords or two-factor tokens at all, and thus anything stolen in a breach would be unusable to the thieves1.

A hacker would need to not just compromise 1Password but then use that compromise to surreptitiously make changes to the 1Password software that would allow them to exfiltrate passwords directly from users’ machines. That’s the only place passwords are ever visible.

I’m more than satisfied that a 1Password breach is extremely unlikely. That a breach would allow the hacker to modify 1Password code without anyone noticing is even more implausible.

So, from my perspective, we’re talking about an unlikely event that relies on another extremely unlikely event for this scenario to play out.

Possible? Sure. Anything is possible. I’ll talk about that in a second.

So someone walks up to your computer

Consider this scenario: you’re using 1Password as both your password vault and to store your two-factor authentication tokens.

Say someone walks up to your machine while you’re not looking. They would have to know either your 1Password master password or your Windows Hello PIN (or have your face or fingerprint) in order to access what you have stored in 1Password. (You can configure 1Password to lock itself in as short as one minute after its last use, at which point it requires sign-in again.)

Both your passwords and two-factor tokens are secure.

Now consider this scenario: you’re using 1Password as password vault and Authy for your two-factor authentication tokens, and someone walks up to your machine again.

Same requirement for 1Password: master password or PIN to get in.

Authy, on the other hand, is just there. Simply accessing your PC allows your visitor to see the two-factor tokens stored in Authy.

This makes the 1Password-only solution arguably somewhat more secure.

Besides, hackers have easier approaches

Most account hacks happen via one of two vectors.

  • Phishing. I’d guess this is the most common and successful technique these days. An email directs you to sign in at a sensitive site, like your bank. Of course, it’s not your bank at all, but a fake clone set up by the hacker. When you “sign in” to the fake site, you’re handing over your username and password to the hackers.
  • Attachments. Attachments carrying malware are likely #2. The malware more commonly targets your browser, or even your specific bank, rather than trying to finagle something with your password vault. As you sign in to your (real) bank later, the malware slurps up the username and password once again.

Two-factor authentication prevents these approaches from being successful I’d say over 99% of the time. That’s why I harp on it so much. Yes, the hacker may have gotten your username and password, but they won’t have your second factor. Rather than expend more energy on you, they’ll move on to someone else who is less security-conscious.

Security starts with you

As I said above, your passwords are decrypted and visible only on your machine. So for this to ever be a problem, your machine needs to be compromised in some form already.

That’s always been true. Malware can do anything. So anything stored on your machine is technically at risk if you allow malware on your machine.

The good news is that this is an extremely complex and uncommon vector for malware to take. There are easier ways for hackers to get your information.

There’s no such thing as perfection

One of the things I hate about presenting information like this is that I can’t speak in absolutes. I can’t say “Do this and I guarantee you’ll be absolutely safe.” Security is a spectrum. Anything is possible. There are no absolutes.

Our job is to strive to be more secure to the point where we get to a pragmatic level of “secure enough”.

If you are a high-value target, then “secure enough” is different for you than the average person.  Someone could target malware specifically designed to exfiltrate your password vault’s database from your machine the next time you unlock it. That would be difficult and time-consuming, which is why I say you’d have to be a high-value target to be worth the effort. And you’d have to let your guard down long enough for the malware to make it onto your machine.

If you’re a high-value target, then generic security advice from the internet isn’t for you. You need stronger solutions from security professionals.

For the rest of us, though, making it easy to enable and use two-factor authentication is the key. Having that all wrapped up in a single application you may already be using that’s designed from the ground up to be secure works for me.

Do this

Use two-factor authentication. Everything else is refinement.

If you don’t like the thought of having your two-factor codes in your password manager, then don’t. Use a separate app. In my opinion, you might be infinitesimally more secure at the cost of some convenience.

Given that convenience keeps many from considering 2FA, I’m more than happy to recommend having it all bundled in with my password manager.

It’s what I do myself.

Want more clarity about technology and security? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio


Footnotes & References

1: Honestly, this is the saving grace that kept the LassPass issue from being worse. Same architecture: whatever was stolen could not be used to retrieve users’ passwords.

10 comments on “Isn’t Putting Two Factor Codes in My Password Vault Less Secure?”

  1. “Two-factor authentication prevents these approaches from being successful I’d say over 99% of the time.” Wouldn’t it be closer to 99.999%? Unless you are being personally targeted, the odds of a 2 factor hack are nearly zero.

  2. I use Bitwarden, which also has an extension with the capability of being used for providing TOTP codes for two-factor authentication.
    To log into my Bitwarden vault via the web interface or the desktop app requires two-factor authentication as well. In my case, the second factor is a Yubikey.
    My understanding of how password managers function is that the providers have “zero-knowledge” of the vault contents, meaning that without the master password, everything stored in the vault is encrypted and inaccessible to anyone else.
    Even if Bitwarden suffered a calamity breach as happened with LastPass, it would take a hacker an extreme amount computing power to crack my vault (I use a passphrase, not a password as the master password). Wouldn’t the theoretical hacker in this case get stymied because of two-factor authentication?
    Some LastPass accounts did get cracked because LastPass didn’t push users to update their settings and those who adopted LastPass in the early days didn’t update their accounts in regard to the iteration settings, leaving it set at 100100 and not changing it to 600600, as later users were using.
    Anyhow, I try to follow the practices I’ve learned here on Ask Leo! and elsewhere to put as many barriers up as I find practical to work with as I can.

  3. I abandoned Authy and moved all my 2FA TOTP use to my PC password manager, Bitwarden. I still have a couple sites in my phone’s Google Authenticator.

    My next trick will be learning how to use Passkeys and storing them in Bitwarden too. I’m uneasy about tying Passkeys to devices like my phone or laptop but Bitwarden isn’t hardware, it’s portable so I can use Passkeys anywhere I can use Bitwarden.

  4. For the more paranoid.
    Put your login credentials into one password manager & put the OTPs into a password manager from a different provider.

    Even if one is hacked & it turns out the password manager has some vulnerabilities (cough LastPass), the hacker will lack complete information.

    The other option is to have the OTPs in a hardware form (where your risk is loss / theft of the key). If you have a situation where you share credentials with a partner/ spouse, hardware keys are less convenient than a password manager.

  5. I’m confused about the whole idea of storing 2FA tokens in my password manager. I use Google authenticator for 2FA. If I want to add a new account to the authenticator app, it scans a QR code supplied by the account and the account then asks for a 6-digit code from the app. Once that 6-digit code is accepted, then the app is able to provide similar 6-digit codes in the regular 2FA process. So what codes or tokens are we talking about storing in a password manager? Is it an image of the QR code? Surely it’s not the 6-digit codes, which expire after 30 seconds. Can someone explain what I would store in my password manager?

  6. Roboform password manager also has 2FA capability, and it’s well implemented. When you enable 2FA in an app that you’ve logged into with Roboform, it automatically reads the supplied code and asks if you want to save it into that app’s password entry. Subsequent logins supplies the code automatically.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.