It’s a feature that can make two-factor easier to use — but at what risk?
It does seem somewhat counter-intuitive, doesn’t it? LastPass added that feature as well. I have yet to fully play with it, but I certainly have thoughts.
The short thought is that anything that makes two-factor authentication more likely to be used can’t be all bad.
Become a Patron of Ask Leo! and go ad-free!
Password vaults and two-factor authentication
Password vaults that offer to act as your second factor, perhaps even automatically entering the two-factor code for you as you sign in, make two-factor easier to use. While there’s a tiny (tiny!) additional risk in keeping your two-factor keys in your password vault, it’s totally worth it if it gets you to use two-factor authentication more consistently.
TOTP, aka two-factor authentication
TOTP stands for Time-based One-Time Password. More commonly, it’s the Google-Authenticator compatible two-factor authentication mechanism.
The process is simple: you set up two-factor by pairing your smartphone with your account, usually by scanning a QR-code that contains a secret key. The authenticator application displays a random-looking number that changes every 30 seconds. It’s not random; it’s the result of an encryption algorithm involving the secret key. Your ability to enter the correct code at the correct time proves you are in possession of your second factor: your phone.
Thus, two factors are required to sign in:
- Your password
- The authenticator code
Some password vaults have taken steps to make this a little easier.
Password vaults and 2FA
Password vaults like Bitwarden and (some versions of) LastPass (shown above) have incorporated the open-source Google Authenticator algorithm so that they can also act as your second factor. But they take it a step further.
First, for an appropriately configured account, the vault knows:
- Your user ID
- Your password
- Your two-factor secret key
That means the vault software could enter your user ID, your password, and the current two-factor code for you automatically.
But is that a good thing?
The small risk
In theory, if someone were to gain access to your vault, it would give them the first and second factors (passwords and two-factor codes).
The good news is that this is highly unlikely. Not only do we tend to be more careful with our vault’s security, but there are multiple steps in place to prevent someone from randomly gaining access. It’s possible, but highly unlikely. Even if a hacker was to breach the provider (BitWarden, LastPass, whomever else) they could not gain access to this information.
And the second factor remains in force. If anyone ever discovers your password by other means, your account is still securely protected.
The pragmatic spectrum
I see account security as a spectrum.
- Good: use a password vault.
- Better: use a password vault and 2FA, keeping your 2FA tokens in the vault.
- Better still: use a password vault and a separate 2FA method (i.e., Google Authenticator or compatible app).
- Best: use a password vault and a separate physical 2FA device such as a YubiKey.
The increase in security between “good” and “better” is massive. Adding two-factor is a significant increase in security.
The increase in security between “better” and “better still” is small. The risk of someone gaining access to your password vault is very small, and if the convenience is enough to get you to enable two-factor authentication, then it’s totally worth it.
Given that the perceived inconvenience of two-factor authentication often keeps people from even trying it, letting the password vault handle it for you seems like a perfectly fine way to improve overall security.
I say, go for it.
Something else to go for: Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.