10

Take for example 1Password, that now can store your password and one time password secret in a single place (your 1Password vault).

I know it isn't truly two-factor anymore, but how much better is it compared to single factor authentication?

To be more clear, say I have a Dropbox account with two factor authentication enabled, and I store both my Dropbox password and OTP secret in 1Password -- thus both accessible by one factor, my 1Password master password. Assuming I have a strong master password, and my Dropbox password is strong and isn't repeated anywhere, is there any security to gain from using two factor for Dropbox?

kolossal7
  • 101
  • 3
  • 2
    Why would you even store a OTP? Given it's 2-step verification this is generated *every* time and only valid for that single communication. Regardless, it seems to me that you are pretty much rending the 2-factor security redundant if your storing both under a "master" password. – James Feb 03 '15 at 11:58
  • 1
    @James Not the OTP, the OTP _secret_, that is, what your two factor app gets from QR code that the issuer (e.g. Dropbox) displays. Right, that's what I thought, but what I mean is, is there any additional security? I would think its almost zero if both the Dropbox and 1Password password are strong enough. Which begs the question -- what is the point of AgileBits putting it into their software? – kolossal7 Feb 03 '15 at 12:03
  • I think the protection here is that your are not using a static password that you also use everywhere else. So, it's really targeting people that use a password manager and different passwords for all sites. – nowen Feb 03 '15 at 16:19

3 Answers3

6

Yes, there is a slight security gain from having two-factor authentication (2FA) enabled on a site even when you store the 2FA generation/reset code in your password manager. In a scenario where the attacker can monitor your keystrokes or the credentials you're sending to the website but not download your password database, they would not be able to logon to your account with 2FA enabled because they wouldn't be able to determine your seed/reset code. It's not a common scenario, but a script kiddy might get keylogger software while not having the technical skill to find and steal your password database. A man-in-the-middle attack would also collect your credentials without having access to your password database.

A better solution would be to keep your 2FA generation/reset codes in a separate password database, locked with a password kept in your primary one and stored in a separate location. Then even someone with your password database and your master key will be unable to access your accounts protected with 2FA, and you'll be able to recover your accounts if your cell phone (or other 2FA device) is lost.

Aron Foster
  • 1,204
  • 2
  • 11
  • 19
3

I agree with Aron's answer but will add that having the OTP codes in the password manager defeats the spirit of multi-factor authentication which is to supplement something you know-- a password-- with something you have-- usually your phone.

Using 2FA to access the password manager may be sufficient protection, but be clear that when you store the OTP generator next to the password, it's no longer a true second factor. They are both now a single factor of something you know which can potentially be comprimised at the same time in the password manager.

There may be situations where having the OTP generator in the password manager is the least-worst option. Consider a provider used by your company that does not offer per-user accounts, so team members have to share a single login. The service might not allow multiple 2FA devices or it might be not feasible to setup all the 2FA devices for team members that might need the login. Given that situation, sharing the password and OTP generator through a password management solution might be the least-worst option, when combined with 2FA for the password management service. This would be better than the alternative of disabling 2FA of the target site so thee login can be shared.

  • I was wondering about this, myself. You say that storing the OTP secret in the password database is replacing "something you know" and "something you have" with just "something you know". But is that really true? I think it's replacing it with a different set of know/have: namely, you must *have* a copy of the password database, and *know* the master password. You can claim that it makes it easier to compromise since you only need the PW database, but you could say the same about logging into a service on the same device with your OTP generator app (only the phone needs to be compromised). – Ben Feb 12 '16 at 16:48
  • @Ben see [http://security.stackexchange.com/questions/3796/how-is-something-you-have-typically-defined-for-two-factor-authentication](How is “something you have” typically defined for “two-factor” authentication?) for related discussion of "have" vs. "know". I agree that having the OTP generator on the device you log in is also not ideal. – Mark Stosberg Feb 12 '16 at 18:12
0

1Password has two modes it operates in, local and cloud mode.

If you had the a local vault on one device, and another device had the authenticator, combining the two in one device is very likely to reduce security.

If you had both the local vault and authenticator saved only on one device, the security is probably not improved. If someone has the capability to install a keylogger, they probably have the capability to clone the authenticator secrets.

I think having both factors for two factor authentication stored within 1Password in cloud mode weakens security. Someone compromising your 1Password vault could be anywhere in the world - rendering the point behind the "something you have" concept somewhat moot.

This is not to say that compromising 1Password is easy - as well as the master password, there is the secret key (though technically both are "something you know") and a potential one-time-password or other security device.