Regarding WAN show - 2FA in PW Manager?

[WereCat]

So I am just curious so I'll put a poll here.

 

For those who did not watch WAN Show:

 

Is it secure to store the 2nd FA within your PW manager?

What if you store 2FA in PW manager but have HW key on top of it for 3FA?

[manikyath]

there's reasons why you might want to stick the MFA generator in your password manager, for example for shared accounts, where otherwise there may be a douzen phones with the MFA generator on them.

 

but for the backup codes.. those should be in the digital (or real world) equivalent of a safe you only open when you need your backup access, stored in a place you never otherwise come.

 

when i worked in IT we had a separate password manager that was manual access only to store the backup stuff, and the main storage was in something more accessible to actually use on a daily basis.

[WereCat]

4 minutes ago, manikyath said:

there's reasons why you might want to stick the MFA generator in your password manager, for example for shared accounts, where otherwise there may be a douzen phones with the MFA generator on them.

 

but for the backup codes.. those should be in the digital (or real world) equivalent of a safe you only open when you need your backup access, stored in a place you never otherwise come.

 

when i worked in IT we had a separate password manager that was manual access only to store the backup stuff, and the main storage was in something more accessible to actually use on a daily basis.

I meant the 2FA codes like from Google Authenticator not the backup codes to get your account back.

That is a completely different can of worms.

 

IMO if someone can break into your PW manager trough 3FA then you're likely high threat factor in the first place and you should probably reconsider all your security measures and how and which devices you use. I think it's fine for typical user and likely way more secure than how most people actually store or use their passwords.

[manikyath]

2 minutes ago, WereCat said:

 

IMO if someone can break into your PW manager trough 3FA then you're likely high threat factor in the first place and you should probably reconsider all your security measures and how and which devices you use. I think it's fine for typical user.

having your MFA and password sitting in the same place kind of creates a security hole though. it's a matter of if this "one" place gets compromised, you're SOL. it's still better than not having that second factor, but it's worse than having that second factor in a different place.

[WereCat]

3 minutes ago, manikyath said:

having your MFA and password sitting in the same place kind of creates a security hole though. it's a matter of if this "one" place gets compromised, you're SOL. it's still better than not having that second factor, but it's worse than having that second factor in a different place.

I definitely agree with that.

I think it also depends a lot on what kind of logins you keep in your PW manager.

 

I personally keep logins to websites so that I don't have to remember them and stuff like bank is all in my head with a different 2FA for example.

[colonel_mortis]

1 hour ago, WereCat said:

What if you store 2FA in PW manager but have HW key on top of it for 3FA?

That's not how security factors work - the 3 available factors are something you know (a password or pin), something you have (an authenticator app, phone, or Fido key), and something you are (fingerprint, voice print, face, etc). I don't know of any password managers (or any services for that matter) that require all 3.

 

If your password manager requires a password, Fido key and approval from an existing device, that's two factors (know, have, have).

 

That being said, I don't store any "things you have" credentials (ie totp 2fa tokens or passkeys) in my password manager, because that does leave it as a single point of failure that bypasses all of the factors.

[WereCat]

8 minutes ago, colonel_mortis said:

That's not how security factors work - the 3 available factors are something you know (a password or pin), something you have (an authenticator app, phone, or Fido key), and something you are (fingerprint, voice print, face, etc). I don't know of any password managers (or any services for that matter) that require all 3.

 

If your password manager requires a password, Fido key and approval from an existing device, that's two factors (know, have, have).

 

That being said, I don't store any "things you have" credentials (ie totp 2fa tokens or passkeys) in my password manager, because that does leave it as a single point of failure that bypasses all of the factors.

I have issues understanding how "have, have" is counted only as one factor when you still have to beat both of them to get in.

 

Let's say I have Google Authenticator on my phone for 2FA and I have PW manager protected just with 2FA from that Google Authenticator + password.

If you get in does it not mean that you somehow already have access to my 2FA codes in Google Authenticator? So while I don't store 2FA in my PW manager you can still basically access anything.

 

Now if I have HW key for PW manager even if you get access into my Google Authenticator somehow then you still need to get trough the HW requirement and know my PW manager password in order to sign in into my PW manager. How is that different from having the 2FA already in PW manager then?

 

Now in my 2nd example you really just have to beat my HW key in order to get everything within but I think that's quite a tough endeavor. I'm not saying it's impossible but as I said before, I think a threat factor plays a big role here since you'd have to be targeted specifically on a very personal level... unless there is a way to remotely beat HW key which for now seems quite secure from what I've read.

 

I may be missing something though.

[colonel_mortis]

1 hour ago, WereCat said:

I have issues understanding how "have, have" is counted only as one factor when you still have to beat both of them to get in.

 

Let's say I have Google Authenticator on my phone for 2FA and I have PW manager protected just with 2FA from that Google Authenticator + password.

If you get in does it not mean that you somehow already have access to my 2FA codes in Google Authenticator? So while I don't store 2FA in my PW manager you can still basically access anything.

 

Now if I have HW key for PW manager even if you get access into my Google Authenticator somehow then you still need to get trough the HW requirement and know my PW manager password in order to sign in into my PW manager. How is that different from having the 2FA already in PW manager then?

 

Now in my 2nd example you really just have to beat my HW key in order to get everything within but I think that's quite a tough endeavor. I'm not saying it's impossible but as I said before, I think a threat factor plays a big role here since you'd have to be targeted specifically on a very personal level... unless there is a way to remotely beat HW key which for now seems quite secure from what I've read.

 

I may be missing something though.

I think the important part is how the different factors can be compromised.

• Something you know can be compromised by a keylogger, shoulder surfing, etc
• Something you have can be physically stolen
• Something you are can be captured in various ways (but can take more effort to fake)

So if someone stole your bag, they could get all your "have" factors. Obviously there is a non-negligible increase in security from having multiple "have" factors, but once your threat model is high enough that you want 3 factors, you probably want them fully orthogonal. (This is most severe with multiple things you know, because lots of things that can steal one will steal both, but I believe still true for things you have and are.)

 

On the point about someone that gets into your PW manager already having access to your Google authenticator, that assumes they log in through the front door. It's also possible that they accessed your password manager via malware on your computer, or by compromising any cloud copies of the vault (which should be encrypted with something derived from your password, but cannot be encrypted from something derived from the Google authenticator codes because they are dynamic).

[jfmonty2]

I read the 1Password article about the security of using 1Password (or any password vault) for both your password and your 2FA, and finally I think their argument boils down to this: Although it's marginally less secure than using an authenticator app for your 2FA, it's a hell of a lot more convenient. And for a lot of people, that convenience makes them that much more likely to use 2FA at all, which is a win however you slice it.

 

They do mention that the main situation where having your 2FA in 1Password is less secure than having it in a separate app is if an attacker somehow gets access to your 1Password vault. They kind of pooh-pooh this as being incredibly unlikely, and then sort of handwave away the rest of the concern with:

Quote

...this theoretical attacker who somehow gained access to your 1Password sign-in details would know your email address, Secret Key, and account password (at minimum). Anyone with the ability to gather that much sensitive intel is unlikely to see an authenticator as much of a challenge.

But you know, after the LastPass fiasco of a year or so ago I'm not so sure. Certainly 1Password seems to be more on top of security than LastPass, but the history of the internet is already rife with examples of people who were doing a great job with security, until they weren't. To pick just a random example, what if 1Password's deployment infrastructure were to somehow get compromised, and they were to push out a malicious build of their app?

 

All of which is to say, I think having your 2FA in a separate app is meaningfully more secure than having it in the same password vault, but either is better than having no 2FA at all.

 

Another key distinction they make is between using an authenticator app (like Authy or Google Authenticator) and using a dedicated hardware device like a Yubikey. The latter is a lot stronger than the former, even though they both technically meet the criterion of "something you have", because:

• You're fairly likely to lose your phone; you're a lot less likely to lose your Yubikey. While I can imagine situations where you lose both, they mostly come down to essentially "total stuff compromise" where literally anything you possess is theoretically vulnerable to being snagged.
• TOTP relies on a shared secret, which means (if I understand correctly) that it doesn't protect against serverside compromise at all. That is, if an attacker gets access to the service's password database and successfully cracks your password, they can generate as many auth codes as they want because the shared secret from which those codes are generated is right there next to the password. Yubikeys et al. defend against this because they use asymmetric crypto and only share the public key with the server, so an attacker who compromises the server still can't spoof the Yubikey.
• Since you're responsible for manually copying the code from your authenticator app and into the login form, you're still vulnerable to MITM attacks where someone spoofs (or just straight-up proxies) the login page for a service, then gets you to visit their proxied version and snarfs both the password and the one-time code to create a valid session that they control, rather than you. Yubikeys defend against this because they refuse to validate unless the domain that's asking is the same one that was initially registered. (Worth noting that password vaults do this too, kinda-sorta, in that they won't autofill for the wrong domain - but you can still copy/paste the password and one-time code, so it's not as ironclad as a Yubikey.)

So Yubikeys and similar devices are the best form of 2FA. But they're also the most of a pain in the ass, because what do you do if your Yubikey breaks? Since the whole point of a Yubikey is that it is literally physically impossible to make a copy of the secret stored on the device, you can't just make a backup copy of your Yubikey. The Official Recommendation is to have two Yubikeys, and enroll them both everywhere, but use one as your "main" one. Then, when that one breaks, get a third one and enroll it in all the sites where you use 2FA (which you can do because you still have the second one), etc.

 

I have to admit that I don't do this, and I'm sure it will come back to bite me at some point. I'm hoping the passkeys get enough traction soon enough that I can just switch over before my Yubikey breaks and I have to question all my life choices.

 

Anyway, seems like there's a pretty clear hierarchy of better-and-worse ways to do 2FA:

• Bad: no 2FA at all
• Better: 2FA in your password vault alongside the password
• Slightly better still: 2FA in a separate authenticator app
• A bit better again: 2FA in a separate authenticator app on a different device (like an old phone) that's just for that
• Best: 2FA with Yubikey or equivalent (but also a bit of a PITA)

 

Personally, I use my Yubikey for my most sensitive accounts (email, AWS, not my bank since they they only support SMS 2FA ) store a few others in a separate authenticator app, and use 1Password for the ones that I don't really care about being 2FA but forced me to add it.

[WereCat]

@jfmonty2

I think that's a really nice assessment. 

I agree that convenience is a huge part of 2FA not being adopted by many people. 

 

In case of some like my parents for example they really only know 2FA in the form of SMS and that's it. From their point of view that's secure... Even though it's not really that secure. 

They don't even know of any other form of 2FA and from my experience most people don't. 

Most people also seem to struggle to come up with a decent password and remembering it. 

 

If I've set up PW manager even with 2FA codes within for them even without HW key it would still be a massive improvement over what they have now if they actually used the randomly generated passwords since they wouldn't need to remember them. 

 

Regarding the loss of a HW key I've also had a panic attack once so I'm "prepared" now once I actually employ these:

 

[Bramimond]

I think the most important thing to keep in mind here is this:

 

"Security at the expense of usability, comes at the expense of security."

 

 

 

Back in university one of our professors once introduced a course with pictures of people bypassing safety measures since they were inconvenient. Can't find it anymore, but it was a huge machine that needed two people to operate. Not really, though, just for safety.

 

The way it was implemented was you had to press two buttons at the same time that were placed far enough from each other so one person couldn't reach both of them. It was bypassed by using a plank of wood that was long enough to push both buttons.

 

Bottom line, if you make it hard users will find ways to make it easy again, even if this means endangering their own lives, nevermind information security.

 

 

This was kinda baffling to me back then, but having experienced various security implementations of big companies I now tend to agree with the users and also do my utmost to make life easier for me.

 

Storing both the password and the token generator in the same password manager is an excellent solution for sites that insist you use 2FA when they are really not as important as they think they are. Or when it is a company shared account and a department worth of people needs to be able to login to it...

 

 

[Milesqqw2]

On 1/6/2024 at 5:11 AM, colonel_mortis said:

That's not how security factors work - the 3 available factors are something you know (a password or pin), something you have (an authenticator app, phone, or Fido key), and something you are (fingerprint, voice print, face, etc). I don't know of any password managers (or any services for that matter) that require all 3.

 

If your password manager requires a password, Fido key and approval from an existing device, that's two factors (know, have, have).

 

That being said, I don't store any "things you have" credentials (ie totp 2fa tokens or passkeys) in my password manager, because that does leave it as a single point of failure that bypasses all of the factors.

I don’t know if this counts but Microsoft Authenticator on an apple device needs Face ID or Touch ID. I don’t know about at her devices or apps but I know this combination does.

[Nomis_Walcal]

This was a very interesting topic since it made me aware of a hole in my security that I had not even considered. The account linked to my backed-up rolling 2FA is (well, WAS) right in my password manager. So if someone did manage to get in, all my work would be for nothing if they figure out which basket the 2FA is in.

 

That password now sits in a document on a thumb drive in my desk drawer. I could have printed it off or written it down, but I still like being able to cut and paste complex blobs of characters rather than typing them.

 

Something worth considering . . . how many of you had LastPass vaults that would have been grabbed in the hack? How many of those vaults were opened in the early days of the company?
The oldest of the vaults are WAY easier to crack than those in intervening years because as the need for better encryption materialized, older accounts were often not upgraded. Not to mention that metadata was in some cases found to be NOT encrypted in the vaults.

 

Would this change your risk posture?

[Seccedonien]

I really don't get the idea of setting up 2FA to then go and put both authentication methods in a single place creating a spof even if that place is guarded by 3FA or better, outside of security in no other field would they even consider this as an option yet when it comes to access to our accounts this becomes acceptable somehow? It makes no sense to me.

[jfmonty2]

3 hours ago, Seccedonien said:

I really don't get the idea of setting up 2FA to then go and put both authentication methods in a single place creating a spof even if that place is guarded by 3FA or better, outside of security in no other field would they even consider this as an option yet when it comes to access to our accounts this becomes acceptable somehow? It makes no sense to me.

It's all a question of threat models, particularly "what types of attack does this defend against?"

 

Storing your 2FA in the same password vault as the password will still help in some pretty common attack scenarios:

• Keyloggers
• MITM attacks (e.g. a spoofed login page) where the credentials are just saved for the attacker to use at a later date (rather than being used immediately to create a valid session)
• Credential stuffing attacks, although admittedly if you're using a password vault you should already be immune to those by dint of not reusing passwords
• Technically I guess online brute force attacks as well, although again if you're using a password vault then your password is likely more than strong enough to resist brute force on its own. (Also the vast majority of brute force attacks happen offline these days, and 2FA isn't going to help you there.)

In general, storing 2FA in your password vault is helpful in any situation where a) your password gets exposed via some other route than your password vault, and b) the attacker doesn't immediately make use of the exposed credentials. Because 2FA is time-limited, it means that the compromised credentials are only useful for a very short period of time, which significantly increases the difficulty of using them.

 

Really the only situation in which it's less secure than using a separate authenticator app is if the password vault itself gets compromised separately from your authenticator app. (That is, if you leave your phone somewhere and someone manages to break into it, then they have both your password vault and your 2FA app, so it's no different from if you had used the password vault for both.)

 

It's definitely not impossible for your password vault to get compromised like that (see Lastpass etc), so it's certainly valid to say that storing 2FA in your password vault is meaningfully less secure than using a separate app. Whether that drop in security is acceptable will have to depend on your personal situation and risk tolerance.

 

It's also worth pointing out (as various other comments here have) that the convenience factor is pretty key. If the convenience of having 2FA in your password vault means that you are willing to use 2FA somewhere that you otherwise wouldn't have bothered, then that's a pretty unambiguous security win.

 

It doesn't have to be all one or the other, either. Several people in this thread (myself included) have mentioned that they use a hybrid of Yubikey-or-equivalent, authenticator app, and password vault to manage their 2FA, depending on the sensitivity of the account in question.

[scrumptious starfruit]

On 1/10/2024 at 11:10 AM, jfmonty2 said:

It's all a question of threat models, particularly "what types of attack does this defend against?"

Just finished listening to that wan so I'm a bit late to the party, but this point really is key. Your hierarchy of less secure to more secure was also spot on. Linus and Luke can keep going on about how storing 2fa in password vault is insecure, but if they don't talk about the specific threat models they want to protect against, it's basically meaningless. I may as well laugh about how floatplane is insecure because it's connected to the internet, they should airgap their servers and if you want to watch floatplane content, travel to their datacenter in Vancouver.

 

One thing that should have been discussed if they want to talk about 2fa security is what happens if you lose the second factor (eg if the phone/yubikey/etc dies or is lost)? If it's truly 2fa, then your account is gone. So if you want 2fa and it's an important account, you need to treat the second factor like your most precious data and back it up accordingly, and where exactly do they think that backup belongs if not in an encrypted password manager? If they don't trust their cloud based password manager to protect their passwords, maybe they should be reevaluating their choice of password managers? Talking about how to actually save those codes securely without being ridiculously inconvenient is much more productive than repeating "2fa code in password manager bad".

Keeping a paper copy in your draw sounds nice but that alone doesn't satisfy the 3-2-1 backup recommendation for keeping data safe. If your house gets destroyed by natural disaster, it's highly likely both your 2fa device and backup codes would be gone. Maybe if you happen to have a safety deposit box at your bank you could use that: it would be quite inconvenient to update or access it but maybe for those who have a box like that it works (I don't have one and I don't know of any of my friends that do). Perhaps an encrypted container separate from the password manager would be a nice balance of convenience and security?

On 1/7/2024 at 2:55 PM, jfmonty2 said:

• Bad: no 2FA at all
• Better: 2FA in your password vault alongside the password
• Slightly better still: 2FA in a separate authenticator app
• A bit better again: 2FA in a separate authenticator app on a different device (like an old phone) that's just for that
• Best: 2FA with Yubikey or equivalent (but also a bit of a PITA)

So to tie in backing up 2fa codes with this list, I'd probably just want to add one more variable, which is the distinction between cloud based password managers and strictly local password managers. For password managers that operate on local databases, the password vault is not in the cloud. For an attacker to reach those passwords, they would have to compromise the end user's device rather than the cloud service, and then they would have to obtain both the database file as well as the password to decrypt it. There could also be other factors securing the local password database that they might need (fingerprint, hardware tokens, etc).

 

For local password managers, I don't see a huge difference between storing the 2fa code in the same database vs a separate encrypted container from another app, which is part of why I found their whole discussion kind of mediocre. If an attacker owns your system enough to access a locally stored password database, they basically have your 2fa database as well. Using an entirely separate device for the two databases could add an additional layer of security, although managing the 3-2-1 backup strategy for the two devices in such a way that retains the added security of the two separate devices sounds pretty convoluted to me.

 

So yeah, if they had specified they were talking about saving 2fa codes to cloud based password vaults, I can kind of see why they'd say it's insecure as I personally don't like to trust cloud based password managers. But then I'd just go back to my previous question - if they think cloud based password vaults are so insecure, why use them at all? And if convenience is the answer, why can't convenience also be the answer for storing 2fa codes in the vault?

[Lunar River]

I know 3 passwords for my personal accounts

1. Master password for my password manager
2. Password to unlock my 2FA app (only required for new devices given access)
3. throwaway password for things i don't care much about

 

the password to my 2FA is not stored in my password manager

and the name of my password manager is not stored in my 2FA app