11

Can anyone explain me what's this trend of providing passwords and OTP codes on the same service? What benefit or value are they trying to bring to the table?

We, as security professionals, have been fighting for the adoption of 2FA for a long time, and now that we are reaching a wider coverage, password managers are increasingly providing support for both passwords and OTP, hence, defeating the purpose of multiple factors of authentication.

Some will say, the benefit of 2FA from the point of view of the target service is still there, but come on, if the average Joe had 15 online identities, now it's only necessary to attack one of them (the password manager) and if the user used the service to store the OTP codes as well... GG WP.

3 Answers3

12

Password managers want to also manage OTP because they're in the business of making authentication easier.

But there's a trade-off.

Managing OTP (or any other truly additional factors) in the same place as your passwords shifts the risk model. It pools multiple independent factors into a single attack surface. This turns the system(s) running the password manager into a higher-value target.

The increased risk may be acceptable for general users, but it is riskier for targeted / high-risk users. (The rest of my answer takes the high-risk users as the more interesting case.)

If OTP codes are stored on an independent device, by contrast, then compromise of the system(s) hosting the password manager (while still obviously bad) does not provide instant unfettered access to all accounts stored in the password manager.

Of course, a user can always check the "don't require OTP on this system" checkbox. High-risk users can skip that option, and require the OTP at every login. If they do so, then if they surf the web from their laptop but use a phone-based OTP app, an attacker must compromise both endpoints - the surfing system, and the phone - to authenticate as the target user on OTP-enabled websites. (Which is the fundamental value proposition of MFA.)

And it's important to remember that storing OTP in your password manager is not an "either/or" situation. Some users might choose to store low-value OTP codes in the password manager, and high-value OTP codes somewhere else. (Corollary: it would be great if the password managers could advise users about the trade-offs, so they can make informed risk decisions!)

Not storing OTP separately decreases the cost of (targeted) attack. But as always, whether or not that matters depends on your threat model.

Royce Williams
  • 9,573
  • 1
  • 33
  • 57
5

We, as security professionals, have been fighting for the adoption of 2FA for a long time, and now that we are reaching a wider coverage, password managers are increasingly providing support for both passwords and OTP, hence, defeating the purpose of multiple factors of authentication.

By definition, 2-factor authentication is presenting something from two different categories of "something you {know, have, are}". Arguably, we've already lost this game as soon as password managers are involved at all because password managers change passwords from a "know (memorized secret)" to a "have (access to the device)" -- especially the password managers built in to browser that don't lockout or need a master password very often. OTP is also a "have (access to the email address / SMS number / authenticator app)" and most people will put their password manager on the same device that has access to the OTPs.

So, while it definitely looks alarming to have passwords and OTPs in the same app, I'm not sure it's fundamentally different from having them in different apps on the same device.

Mike Ounsworth
  • 59,005
  • 21
  • 158
  • 212
  • 2
    Indeed. Different apps on different devices for the true 2FA benefit. Though there is some nuance that comes from having to know the main password for the password manager itself (with a short timeout, etc.) There's still something that you have to know, with a timeout for how often you might not need to know it. It's interesting. – Royce Williams Feb 23 '21 at 23:53
  • 1
    It is in fact fundamentally different. Two apps on the same phone still allows you to separate access and security for the two (master password for one, fingerprint for the other, different master passwords etc), which makes it equivalent to two devices. A single app offering both features under the same unlock mechanism does not allow you to separate the two, i.e. it will never actually be 2fa. – Normadize Dec 02 '22 at 04:02
4

defeating the purpose of multiple factors of authentication.

No, it doesn't. OTP protects the user in case of phishing. If Joe enters its login on a cloned page, the attacker will only be able to use his credentials if he acts very fast, otherwise the OTP will have expired.

It protects the user in case of credential leak too. As most users will not have a dozen different passwords for a dozen services, if one password leaks all other accounts are at risk. With OTP, even if the user has the same useless 12345678 password on every service, the attacker will not be able to compromise any account because of OTP.

If an attacker has access to Joe's computer and he's able to attack the password manager, same attacker already has to replace the password manager with a trojanized version, or the browser, or install keyloggers. If he has access to the computer, it's game over anyway, with password manager or not.

Unless you are expecting average users to have one password manager taking care of passwords, and another password manager on another device taking care of OTP tokens, having one password manager taking care of both is a good trade-off.

Faulst
  • 368
  • 2
  • 5
ThoriumBR
  • 53,925
  • 13
  • 135
  • 152
  • 3
    "Unless you are expecting average users to have one password manager taking care of passwords, and another password manager on another device taking care of OTP token" this is exactly how's been for years. You have an app for OTP codes (traditionally Google Authenticator, now there are many other rich-full choices) and then a password manager (a web service). Even if you manage to get access to the computer, you still need to find out the master credentials to unlock the password manager and the OTP app. If both pieces of information are on the same app, you only need to attack one. –  Feb 21 '21 at 16:46
  • 1
    in other words, authentication on the service uses multiple factors of authentication, but the source of those factors of authentication is the same. –  Feb 21 '21 at 16:49
  • 1
    I don't agree about protecting against phishing; usually, the attacker will steal session information e.g. cookies, and won't need the OTP again going forward. There are tools/frameworks out there for this sort of thing. – multithr3at3d Feb 21 '21 at 17:44
  • @multithr3at3d evinginx is available, but that isn't the most common attack. Phishing and password leaks are by far the most common ones. – ThoriumBR Feb 21 '21 at 21:49
  • 1
    The purpose of OTP isn't to resist phishing - OTP codes can also be phished. That's why U2F and WebAuthn exist. – Royce Williams Feb 22 '21 at 06:06
  • Speaking as an "average" user, my problem is this: Where do I store the 2FA secret code and backup codes, if not in the password manager? – Paddy Landau Mar 14 '21 at 09:05
  • Speaking as an "advanced" user: store the 2FA on the password manager, and use its automatic backups to send a backup to a cloud storage (GDrive, iCloud, OneDrive, Dropbox, etc). – ThoriumBR Mar 15 '21 at 11:08