AFAICT there’s nothing Bitwarden-specific in the article.
I disagree with the argument that storing TOTP secrets in your password manager is a bad idea. You absolutely should be using a good password or phrase on your pw manager*, but scattering your TOTP codes across Authenticator apps is more likely to cause you grief. The whole point of the password manager is to have a single place to track all of these things and a single thing to worry about backing up/recovering/being able to migrate in the future. Better to have one really secure basket than half a dozen baskets of unknown quality.
To me it looks like one of those well-intended piece of advice we had before password managers: change your password often. In principle it was not a bad advice. But in combination with password policies that made it nearly impossible to memorize the password we ended up with password on stickies.
In principle it is correct that if a password manager vault with TOTPs in it is compromised it’s a game over. But proposed solution adds so much friction that I’m afraid, people would’ve disabled TOTPs all together is they were required to use a different device/PM for them.
I think the author overstates the probability of vault compromise for an average user. It’s much more likely that Facebook/Twitter/whatever db will be leaked than an average user would be targeted. In that scenario, for most it’s better to have TOTP enabled and saved in the same PM.
I’ve seen people argue against TOTP, or argue against calling it a “second factor”, solely because the secrets can be stored in a password manager. But I’ve never seen someone argue against hardware keys in the same way, despite the fact that you can easily plug one in and leave it there forever.
Personally I’d rather people use TOTP than SMS, and if people do actually go install and use a password manager and also store their TOTP secrets in it, well, they’re still better off than the average person today with reused passwords and no 2FA at all.
Well, hardware keys usually require you to physically touch them - it’s a “something you have” factor, where as password + TOTP is two “something you know” factors. I’m not advocating against storing TOTP in a password manager, I agree with the top comment, but there is a lot more to be gained by using a hardware key than pretty much any other form of authentication*.
On an unrelated note, 1Password has decided that it wants me to use it to fill in this text field on lobste.rs… not sure what that’s about!
*this is a flippant comment I haven’t thought too hard about.
If you leave the key plugged in, then access to the machine == access to the key. It’s like leaving the password on a piece of paper stuck above the monitor. And in a lot of cases, that access also gets them access to the password manager, leading to complete compromise.
So I don’t agree with the people who judge TOTP-in-password-manager so harshly. Does it mean a compromise of the password manager is a full compromise of passwords and TOTP? Sure. Is a compromise of the password manager among the top threats to mitigate given that credential re-use and a bunch of other things are still rampant? Nope. “Password manager gets compromised” is waaaaaaaaay down the list of threats I’m going to worry about. So when I see people effectively trying to steer ordinary users away from password managers because of something that’s such a low-priority threat, I tend to push back.
It’s still a second factor though, access to the machine so it’s indeed “something you have”.
And while theoretically it might be I disagree with the paper comparison. It is if the password on the paper is both a second password and it somehow changes so it ensures the “something you have part”.
Something you have can of course be stolen physically. It’s the whole concept of being a physical factor.
Just a response to the first part. I am not saying it’s bad. I haven’t really made up my mind about it. The above just was about the physical/something you have factor.
Why would physical access give them access to the password manager? Now they have the “something you have” but still don’t have the “something you know” to get access to your password manager? A hardware token is pretty useless on its own, so I disagree that it’s anything. at all like leaving a piece of paper stuck to the monitor - you need username and password before you ever get to use the security key.
This is a straightforward security vs. convenience tradeoff.
Pros of storing TOTP in password manager:
autofill TOTP codes
easily migrate between devices (migrating Google Authenticator to a new phone is a huge pain)
login without your phone/yubikey
Cons:
If your password manager is compromised, all your accounts are accessible
I would argue that the convenience is worth it for most people. Most people have horrible digital security practices and struggle with login. They’re not going to use password managers or MFA unless you make it very convenient.
easily migrate between devices (migrating Google Authenticator to a new phone is a huge pain)
I was just thinking what the author might think of when they hear about Twilio Authy where my two step codes are protected just by a text message, my encryption password, and a prayer.
I tried using bitwarden but as far as I can tell, you can save but not use two step codes in bitwarden without paying for it.
If you are looking for Google Authenticator alternatives then I will highly recommend Aegis for Android. It is fully open-source and allows you to export/import keys.
I agree that if you want strong 2FA you shouldn’t store the secret in your password manager.
But there are lots of cases where the site wants to force 2FA but I won’t want it. These sites are not worth me risking mismanaging or losing my secret. In that case storing the TOTP secret in my password manager is a way for me to take back the control and choice.
I see this take a lot, and TOTPs purpose is not to keep secrets in separate buckets that users control. it is to guarantee that there is a secret that the user is storing, because you can’t trust that a server is storing your password encrypted or that it wasn’t read by someone in transit. By only transmitting one time codes, these common vectors are prevented. If cracking a password manager was actually a common vector, why not use seven password managers?
The TOTP key is just another secret you share with the service you’re logging in to - there’s just a slightly different way to demonstrate you have access to a copy of this secret. So the risks and attacks are in some ways very similar (except the big one:that you generally actually share the password on every login, unless you are using kerberos or something…).
But sure, if you can, a hardware token (and a backup token or two) makes TOTP more of an actual second factor.
AFAICT there’s nothing Bitwarden-specific in the article.
I disagree with the argument that storing TOTP secrets in your password manager is a bad idea. You absolutely should be using a good password or phrase on your pw manager*, but scattering your TOTP codes across Authenticator apps is more likely to cause you grief. The whole point of the password manager is to have a single place to track all of these things and a single thing to worry about backing up/recovering/being able to migrate in the future. Better to have one really secure basket than half a dozen baskets of unknown quality.
To me it looks like one of those well-intended piece of advice we had before password managers: change your password often. In principle it was not a bad advice. But in combination with password policies that made it nearly impossible to memorize the password we ended up with password on stickies.
In principle it is correct that if a password manager vault with TOTPs in it is compromised it’s a game over. But proposed solution adds so much friction that I’m afraid, people would’ve disabled TOTPs all together is they were required to use a different device/PM for them.
I think the author overstates the probability of vault compromise for an average user. It’s much more likely that Facebook/Twitter/whatever db will be leaked than an average user would be targeted. In that scenario, for most it’s better to have TOTP enabled and saved in the same PM.
I’ve seen people argue against TOTP, or argue against calling it a “second factor”, solely because the secrets can be stored in a password manager. But I’ve never seen someone argue against hardware keys in the same way, despite the fact that you can easily plug one in and leave it there forever.
Personally I’d rather people use TOTP than SMS, and if people do actually go install and use a password manager and also store their TOTP secrets in it, well, they’re still better off than the average person today with reused passwords and no 2FA at all.
Well, hardware keys usually require you to physically touch them - it’s a “something you have” factor, where as password + TOTP is two “something you know” factors. I’m not advocating against storing TOTP in a password manager, I agree with the top comment, but there is a lot more to be gained by using a hardware key than pretty much any other form of authentication*.
On an unrelated note, 1Password has decided that it wants me to use it to fill in this text field on lobste.rs… not sure what that’s about!
*this is a flippant comment I haven’t thought too hard about.
If you leave the key plugged in, then access to the machine == access to the key. It’s like leaving the password on a piece of paper stuck above the monitor. And in a lot of cases, that access also gets them access to the password manager, leading to complete compromise.
So I don’t agree with the people who judge TOTP-in-password-manager so harshly. Does it mean a compromise of the password manager is a full compromise of passwords and TOTP? Sure. Is a compromise of the password manager among the top threats to mitigate given that credential re-use and a bunch of other things are still rampant? Nope. “Password manager gets compromised” is waaaaaaaaay down the list of threats I’m going to worry about. So when I see people effectively trying to steer ordinary users away from password managers because of something that’s such a low-priority threat, I tend to push back.
It’s still a second factor though, access to the machine so it’s indeed “something you have”.
And while theoretically it might be I disagree with the paper comparison. It is if the password on the paper is both a second password and it somehow changes so it ensures the “something you have part”.
Something you have can of course be stolen physically. It’s the whole concept of being a physical factor.
Just a response to the first part. I am not saying it’s bad. I haven’t really made up my mind about it. The above just was about the physical/something you have factor.
Why would physical access give them access to the password manager? Now they have the “something you have” but still don’t have the “something you know” to get access to your password manager? A hardware token is pretty useless on its own, so I disagree that it’s anything. at all like leaving a piece of paper stuck to the monitor - you need username and password before you ever get to use the security key.
This is a straightforward security vs. convenience tradeoff.
Pros of storing TOTP in password manager:
Cons:
I would argue that the convenience is worth it for most people. Most people have horrible digital security practices and struggle with login. They’re not going to use password managers or MFA unless you make it very convenient.
I was just thinking what the author might think of when they hear about Twilio Authy where my two step codes are protected just by a text message, my encryption password, and a prayer.
I tried using bitwarden but as far as I can tell, you can save but not use two step codes in bitwarden without paying for it.
If you are looking for Google Authenticator alternatives then I will highly recommend Aegis for Android. It is fully open-source and allows you to export/import keys.
The other use case is a shared TOTP secret. I’ve got a few accounts in my password manager that require 2FA but they’re shared with my partner.
I agree that if you want strong 2FA you shouldn’t store the secret in your password manager.
But there are lots of cases where the site wants to force 2FA but I won’t want it. These sites are not worth me risking mismanaging or losing my secret. In that case storing the TOTP secret in my password manager is a way for me to take back the control and choice.
I see this take a lot, and TOTPs purpose is not to keep secrets in separate buckets that users control. it is to guarantee that there is a secret that the user is storing, because you can’t trust that a server is storing your password encrypted or that it wasn’t read by someone in transit. By only transmitting one time codes, these common vectors are prevented. If cracking a password manager was actually a common vector, why not use seven password managers?
The TOTP key is just another secret you share with the service you’re logging in to - there’s just a slightly different way to demonstrate you have access to a copy of this secret. So the risks and attacks are in some ways very similar (except the big one:that you generally actually share the password on every login, unless you are using kerberos or something…).
But sure, if you can, a hardware token (and a backup token or two) makes TOTP more of an actual second factor.