Why store your 2FA in your password manager?
the hot take in question
I was recently watching an episode of the WAN Show where Linus and Luke covered storing your 2FA token in your password manager, and generating your 2FA codes from there. Linus, for one, seemed to strongly dislike this practice. Let's get some facts straight.
basic security principle
Let's assume, for the purposes of this article, that you have the following:
- A password manager(I use 1Password)
- You randomly generate the passwords for websites, as you should.
- You use 2FA wherever possible.
- You store your 2FA in the password manager.
Let's also review the First Commandment of good security.
You should have something you know, something you have, and something you are.
why storing 2FA in the password manager is ok
On a regular login, I show up to the webpage, and click the autofill icon after biometric system authentication to have 1Password fill in my username and password(for the purposes of this article, we use autofill, but there's another subject on why you shouldn’t).
Now, based on Linus' take, that's terrible security because there was no second factor, no code from my phone, no Yubikey.
However, let's consider this in light of our First Commandment. I used something I know, my 1Password vault password. I used something I have, my open 1Password vault on a trusted device. I used something I am, the biometric authentication that I used to unlock 1Password. Arguably, that's all the same factor, so let's pick that apart in reverse.
something you know
It's arguable that 1Password isn't something you know. However, that statement is usually applied to knowing your password. If we were good secure users and randomly generated a secure password using 1Password, you don't know your own password, do you? Consider our threat model: the hacker we are defending against doesn't know our account password, our vault password, or the fact that we use a password manager at all. All they know is we have an account on this theoretical website.
something you have
It's a design principle of 1Password that only you possess your Secret Key. Therefore, only I have the vault and have it unlocked, so only I was able to generate the 2FA code and enter the password. It's only my devices that can do that, and even if you breach my 1Password account, you can't get in without the Secret Key, which only I have.
It could also be argued that you should have a hardware key, but as this argument is mostly about 2FA codes, not hardware security, we'll pass that. Hardware security is notably more secure than 2FA codes, but is usually poorly implemented(Google, for example, lets you use SMS instead of your hardware key....boooooo!).
something you are
In this case, I used biometric authentication, but that's a shaky third factor at best. My 1Password vault password would unlock the vault if I was short one finger, and other devices, such as the browser extension, don't always support biometric authentication. Let's count it as 10% of a factor, so we're at 2.1 factors total.
what if you separated your 2FA
Now, according to Linus, you should store your 2FA on your phone so you log in with username and password, and use your phone as the something you have. This isn't bad security advice, but it's not superior to storing your 2FA in your password manager. Mostly because if the hacker has breached your phone, you're hosed. If they breached your password vault, you're hosed. If they breached your computer and installed any keylogger or malware, you're hosed.
think of it as shifting the target and reducing your attack face
If we use the conventional advice that 2FA goes on your phone, you have four attack faces. One is the website, where your credentials can be stolen in transit or by a fake website. Two is your phone, housing your 2FA codes. Three is the computer. Four is the password vault software. All of these need to be protected in order to secure your account.
However, by placing your 2FA in your password manager, you have reduced the attack faces by one, but you have not reduced the number of security factors between you and the website. One less door and the same amount of locks.
I'll say that again:
You have reduced the attack face, where the hacker can attempt to get in, by one. You have not reduced the number of factors that the hacker must possess in order to gain access.
a disclaimer
Now, I am not a security professional, but I do dabble in cybersecurity and I'm sure some normies on the internet would call my level of security paranoid. Please don't take this as gospel truth - if I'm wrong, correct me. This is based on my understanding of attack faces, threat models, and what steps to take to defend the website and yourself against intrusion by a hacker.
Securely yours,
Nico