0

I've read a lot of advice against storing your 2FA codes in your password manager and I don't understand why. Isn't a file on your computer something you have?

There is the added benefit that you don't have to worry about losing your phone or yubikey so long as you keep multiple backups of your encrypted password database.

Jonathan
  • 121
  • 5
  • 5
    Does this answer your question? A special file as the second factor in 2FA. Apart from that: 2FA is not about "something you have" but "something only you have". If the file is well protected so that this "only" restriction can be matched, then it can also be used as a second factor. Of course, there need to be a way to proof ownership of a file without exposing the file because otherwise the "only" requirement is no longer true. – Steffen Ullrich Nov 28 '21 at 12:48
  • Lucas' answer does help i.e. you need to protect your second factor. To clarify, to prove ownership of a file without exposing the file refers to encryption? – Jonathan Nov 28 '21 at 13:05
  • Another way of framing is, when you use a password manager all the really strong passwords it creates and stores for you are no longer really something you know but something you have (?), presumably something only you have? so therefore why not store your 2FA codes in there as well? – Jonathan Nov 28 '21 at 13:08
  • 1
    "... refers to encryption" - some kind of cryptography usually helps. For example public key cryptography allows to prove ownership of the secret private key without providing the private key to somebody. This is the base for key based authentication in SSH and certificate based authentication in TLS. – Steffen Ullrich Nov 28 '21 at 13:11
  • "why not store your 2FA codes in there as well?" - see Is it secure to store a two factor authentication seed in a password manager? and Is it safe to store 2FA tokens together with passwords in 1password? for discussions on this. – Steffen Ullrich Nov 28 '21 at 13:14
  • The shared links were helpful and led me to https://blog.1password.com/totp-for-1password-users/ where the advice "Put simply: the device that holds your TOTP secret should never hold your password if your aim is genuine two factor security." answers my question, thank you! – Jonathan Nov 28 '21 at 13:29

0 Answers0