You are better off security-wise with 2FA enabled than without it (for the phishing-related reasons mentioned in TFA - EDIT: taviso is correct in their comment, it's more about protection against credential stuffing than phishing), regardless of where you put the codes, so if being able to put the codes in your password manager is going to be the difference-maker in someone electing to use 2FA, they should do it.

It's the same idea with using a password manager in the first place - if a password manager is going to be the thing that gets you to use secure passwords that vary across services, it's worth the tradeoff of having all of those passwords in one place, because you're much more likely to be compromised by a bad password than by a password manager leak.

The reason I store 2FA codes in my password manager is as a protest to companies forcing me to have a 2FA. I don't want to be randomly locked out of my google account due to not having a usable 2FA, and I also don't want to depend on having a single device be always available to provide the codes.

In practice, I feel the main reason 2FA is popular is because people cannot be trusted to create unique and secure passwords for every service. The phishing-resistance is nice, but I'd prefer it being the only credential, and just having it be autofilled (making it longer to combat bruteforce), like what we currently have with password managers...

Here's to hoping passkeys turn out any better.

I store 2FA keys in a fingerprint protected Aegis vault on my phone, and I periodically export an encrypted (with a master password I remember) backup that I then email to my parents.

I get their argument that 2FA makes phishing more difficult, but I disagree that it's its "primary use", or that the distributed factor is unimportant. I personally wouldn't feel comfortable having all my important accounts behind Bitwarden's single point of failure. 2FA for important accounts mitigates the damage if my Bitwarden is broken into.

I'm not familiar with the expert they consulted, but the claim that "The main advantage of 2FA is that it is much more difficult to gain access to your accounts via phishing attacks" is just plain false.

TOTP or SMS-2FA are obviously phishable, if you just entered your password into a phishing site, why wouldn't you also enter a TOTP code? I usually point to Modlishka as a practical example (https://vimeo.com/308709275) to help visualize this.

In fact, the main (claimed) advantage of 2FA is that it prevents "Credential Stuffing" of reused passwords. I personally don't think TOTP (or similar) are a good solution to this problem at all, but this is a thorny issue.

It's better than not having 2fa, but a breach to your password manager would give any attacker full control over your accounts.

A better approach would be to split in two solutions where you store passwords and 2fa keys.

I use bitwarden for passwords, but save all 2fa in aegis. These two have different 5 word passphrases prefixed with a regular 8 char password to increase entropy. I save a backup of the 2fa db to a replicated storage with a synthetic password. For bitwarden I delegate persistence of the data to bitwarden, but it would make sense to take encrypted backups regularly.

The disaster recover protocol is to have a smaller 2fa encrypted database printed in paper. I know the password to this db. Recovering this DB gives me access to bitwarden and the cloud storage, which gives me access to the rest of my password and keys.

I disagree with the experts here. There was and is absolutely nothing wrong, and quite a lot right, by having the 2FA program completely separate from your password vault. At best, this is a lateral security trade-off that you are paying them to provide. View the 2FA feature from a software marketing and sales lens. Can you see how it's just feature creep, driven by competition doing the exact same thing?

More generally: the world would be a better place if most people relied on password managers. If you can do it reliably, using any password manager, even the one built into your browser or OS, is better than not using one.

The problem is that it requires a certain amount of good hygiene when it comes to computer equipment. There are many people who are bad with computers, who don’t have phone backups and lose their phone, who will share accounts and devices, and so on. The result is an insecure mess.

So, solving the “people should use a password manager” problem requires solving all the other issues surrounding how non-technical people use and misuse computer equipment, so that having a password manager and not losing the essential data stored in it becomes the default.

For some people, it would probably be safer and easier to write down your passwords on paper, in a notebook. Other people will lose the notebook, or have it stolen from them. There are similar but more complicated issues with holding onto computer devices.

Important to note that not all password managers are equal. Using Apple’s built-in password manager is more secure because it is inherently tied to your biometrics and authentication is hardware-based, i.e Secure Enclave. This is categorically different from web services like Bitwarden or 1Password authenticated by login email and 2FA codes. Even if someone got into your Apple ID they still would be unable to view or sync your passwords without biometrics.

I had my password manager compromised by a business partner. I added him to my 1Password account and then, in a play for control of the company, he attempted to remove me. Lesson learned: don't try to save money on password managers.

If all of my 2FA code generators had been in 1Password I would have been truly screwed, but in a stroke of luck I had been paranoid enough to use a separate app for 2FA codes.

Because there's a trade-off between security and convenience.

People advocating against storing 2FA codes in the password manager are correct from a purist perspective, but not from a pragmatic perspective if you ask me.

If my device is compromised, along with my device's password, as well as the password manager's password, then yeah... I'm screwed.

As long as I keep my devices up-to-date though, I believe the highest risk comes from state-sponsored actors. I've chosen convenience, and I've made my peace with it.

It's interesting how many argue that putting 2FA codes into a password manager is wrong because you combine 2 factors into one (not don't fully agree with that reasoning), but then are happy with passkeys. How are passkeys better?

I think it's a terrible idea, because it dramatically decreases the attack surface area needed to compromise accounts. 2FA is supposed to be "something you know' and "something you have"; putting your 2FA seeds into your password manager reduces your 2FA to "something you know", and, significantly worse, it's "something you know in the same place as the other thing you know".

The time-variant component is still quite valuable, but it does nothing to protect you in the event of a password manager compromise. This is not a hypothetical; LastPass has suffered multiple breaches, and the more popular a solution, the more likely there are to be attacks against that solution. By keeping your 2FA separate from your password manager, even if it's still just "something you know", it's something you know in a location that's orthogonal to your passwords. If I yield to convenience and use a 2FA desktop app, then now, instead of just attacking my Bitwarden install, you have to successfully attack my Bitwarden install and my 2FA desktop app install to get access to my accounts, and the combination of password managers * 2FA managers is a substantially larger attack surface and requires a significantly more sophisticated attack to get both pieces.

The arguments in the article come down to "well, 2FA mitigates phishing attacks" (true) and "Google Authenticator means you can lose your data easily" (also true). But neither of these is a good argument for why the data should be kept together. It just means "use 2FA", and "use a 2FA manager that lets you directly manage your seeds and keep offsite encrypted backups".

If you can't be bothered to do it properly, then 2FA codes in your password manager is certainly better than not using 2FA at all, but that just makes it a less terrible solution, not a good one.

The first reasoning basically summarises to "storing 2FA token in a password manager protects against phishing because the TOTP token won't be autocompleted on the wrong domain".

Any decent password manager would avoid autocompleting the password on the wrong domain in the first place. I.e.: it will already protect against phishing attacks anyway.

1Password's documentation use to have a whole article about how bad an idea it was to store TOTP in a password manager — but their stance completely changed at some point. Around the same time they started _recommending_ that you do so, and presented it as a key feature in the marketing material.

---

Personally, I think that the only valid reason to store a TOTP secret in password manger is when you don't really care too much about an account (e.g.: prefer convenience over security), but the website demands that I set up 2FA.

The author of this article is unaware of the possibility of an audience who has no idea what the use case looks like for a short temporary token to be stored in a semi-permanent store like a password manager; what does it do? How does the token get there, and how is it used? Does the password manager infrastructure have access to the stream of tokens so that it populates the latest one, and fills it in for you when you're authenticating? Obviously any manual step in handling the token via the password manager will be worse (or no better) than just entering the token manually into the authentication dialog, so it has to work that way?

Related: Why is it a good idea to store 2FA tokens in 1Password?

https://1password.community/discussion/comment/496555

Using 1Password requires me to use one of my devices to add a device to my account.

If someone has my password and my device how will a separate app help me in this case?

Honest question as the 1password model seems to be “something you know and something you have”.

One of the risks of 2FA is losing access to your accounts after losing the authenticating device. Backing up the 2FA seeds mitigates that risk. The backup needs to be encrypted with the password remembered and stored somewhere. Sounds like it’s a job for a password manager, preferably in an offline local password manager with a different database.

Ultimately, you have to store your backup codes somewhere. So the only solution besides using your password manager is using a second password manager. Or not using a password manager to save off your backup codes, which has its own disadvantages.

There's lots of cases where 2FA reduces to 1FA. E.g. logging into a website on your mobile phone, and getting your TOTP or SMS code on that same phone. In fact-- that case is so common I wonder if we should just get more used to the idea of 1FA, with smartphone passkeys/biometrics/SSO being the auth factor. As it stands, if you compromise someone's smartphone (and have their smartphone PIN), the odds are great you can autofill any password you like on their phone and pull up any needed 2FA tokens as well.

IMO the real advantages of 2FA are threefold:

1. The key is generated by the server, not the client (human), so it cannot be reused like a password.

2. The authentication is temporally bound, so phishing only offers access for ~30 seconds, unlike a password where it provides unlimited access until someone changes it (never unless forced in practice).

3. It's literally required for many services, so you need to use it. The alternatives to storing your secrets in your password manager are keeping them on your phone (which is how most people log in anyway, so its already becoming a single point of failure) or using something like SMS 2FA, which is even worse as SIM jacking is pretty trivially possible on most providers.

The primary reason I used 1password + 2FA at both my business and in my family is really simple: 1password creates a shared 2FA process. That is, I can create a 2FA login that someone else in my team or family can also access.

Good advice in this article. Keeping TOTP in a good password manager removes risk of making mistakes with the codes by tying it to the same auth sequence as the password. The assurance that the codes are securely stored, easy to use and to establish on a new trusted device lets services be used confidently which don’t allow vulnerable bypassing of credentials with easily purchased proofs (SSNs, street address etc.)

Backing up TOTP seeds encrypted is a good idea if you know what you’re doing.

It is a security-improving move when humans are factored in, not a trade-off between security and convenience.

This might not be solution for everyone but wouldn’t the best protection to use two separate password managers? One for passwords and the other for the TOTPs?

I wonder why service providers don't have it already. They could even help ensuring that the passwords are different and provide some interoperability between both vaults (e.g. TOTP on mobile device is passed to PC password completions)

I really wish we could store passkeys and totp in bitwarden where access always goes through a server side KMS.

Currently, bitwarden stores these encrypted, but they are unlocked with the rest of the password manager.

For now I'll stick to yubikey for 2FA.

But I wish I could use bitwarden as a layer of abstraction, such that bitwarden would always require my yubikey before allowing any of the passkeys or totp keys to be used.

Maybe there’s a language issue here… but would any saved 2FA code be expired the next time you retrieved it from your password manager? They’re generated for one-time use and have an expiration, right?

Or, when the author says “save the 2FA code” does he really mean “use the password manager to generate the 2FA codes”?

A good explanation for the layperson is: MFA means access requires something you know (a password) and something you have.

In the early days of MFA that thing meant a cellphone because it was SMS by default, but yeah, a laptop or computer of any kind is a "thing you have" as well.

If useful to this crowd. I use keepassx, I made a way to easily print off key passwords along with their instructions:

https://github.com/kardianos/safekeysheet

It could be modified to also print out the otp as well if stored.

A file-based password manager ils something you have (the file) and something you know (the master password) provided you have a timeout on the password manager and a safe screensaver. (In reply to some comments below).

It does require some thought / hygiene but seems a fair compromise.

For a few years I've used the exact same setup as the author in regards to my TOTP codes, password manager, and WebAuthn hardware keys. This past year, I've supplemented this with biometric passkeys on Windows, Apple, and Android.

Basically because 2FA is a useless nuisance when you've got unique high entropy passwords that can't be stuffed, and it's not a defense against your entire password corpus being leaked.

When I upgrade my phone, I keep the old one as a backup and load the same OTP codes into the authenticator app on my new phone. It is no problem to have OTP codes on multiple phones.

I do it for some accounts where I don't care that much about having 2fa, but its forced, and its easier than getting SMS notifications.

You may say I am a dreamer, but I am not the only one!

Storing 2FA codes in your password manager is not a good idea at all in case you get it breached. Otherwise it could be a convenient idea.

If your password manager gets breached you could also loose control of your 2FA as it can be replaced as well.

We need to securely store our 2FA codes, sure. But I would advise not to use the "normal" password manager. I for use have them printed on paper.

>A time-based 2FA (TOTP) is time-sensitive, and a man-in-the-middle or proxy needs to be set up to capture that in real-time

Is that supposed to be remotely difficult? It'll take maybe an hour to whip up a script that takes the captured credentials, passes it onto a headless browser to attempt the login, capture the session cookie, and optionally refresh the page regularly to keep the session active.

cause the risk isnt in hackers hacking your password manager

[dead]

[dead]

TLDR: Account security is a balance and saving it in a password manager has more benefits than downsides