1

Assume I have a password manager that stores the credentials for a login to a 3rd party service. In this credentials the username, password and a TOTP-seed is stored and the current TOTP-token is displayed at all times and refreshed accordingly (Note that such a password manager does not exist).

Is authenticating to the service with this credentials then still considered to be 2-factor authentication, because I can present the password and the correct TOTP-token, or a 1-factor authentication, because both of them get reduced to possesing the access to the password manager account?

Gamer2015
  • 727
  • 6
  • 12

3 Answers3

1

In this case i would consider it a 1-factor authentication, but only from the client-side.

On the client side it would not much differ from using a password only, as each factor is not seperated from each other and can be accessed with the same password.

From a server-side view it can still be considered a 2-factor authentication, as the authentication process still relies on two different factors, which ideally should be seperated from each other.

Mime
  • 132
  • 10
  • This is wrong. You ignore that factors must be independent on each other. You can see it as follows: How many barriers needs an attacker to break for successful authentication? If breaking one barrier breaks also another one, then this is 1-FA, not 2FA. This has nothing to do with implementation of client and server. That's why there is no client view or server view. – mentallurg Jul 25 '21 at 10:41
0

Yes, this degrades it to a single factor authentication.

Think of this as follows. How many problems need an attacker to solve to break authentication?

Consider examples: Suppose you have authentication that requires password and and a code sent via SMS. To break it, the attacker needs 1) to know you password and 2) to get access to your telephone to read SMS messages. Or in case authentication requires password and a fingerprint, the attacker needs 1) to know your password and 2) to somehow simulate your fingerprint.

How many problems needs the attacker to solve in case you use password manager to keep multiple secrets? If the attacker get a password for your password manager, then all secrets will be revealed. Thus, the attacker needs to solve a single problem - get password for your password manager. Thus keeping multiple related secrets in a password manager is a single factor authentication.

mentallurg
  • 12,418
  • 5
  • 36
  • 50
-1

Assuming your password manager is protected by a password, this can still be considered a 2 factors authentication because you need access to the password manager's database. However, this database might not be protected as well as another TOTP provider (such as a physical electronic token or a smartphone). Also, this second factor might be considered by some as a proof of knowledge instead of possession, but that's semantics. In practice, it can be considered as a weaker 2FA mechanism.

It might also be possible to protect the access to the database by a key file and a password, providing another authentication factor.

But that's from the point of view of the user. From the point of view of the service, it is still 2FA, whatever the user do. What the user do is their responsibility: they can increase or decrease the authentication strength by their choices. Trivial examples of such choices are choosing long and random passphrases on one hand, or telling their password to everybody on the other.

A. Hersean
  • 10,569
  • 3
  • 30
  • 43