Take for example 1Password, that now can store your password and one time passwo

Question

Take for example 1Password, that now can store your password and one time password secret in a single place (your 1Password vault).

I know it isn't truly two-factor anymore, but how much better is it compared to single factor authentication?

To be more clear, say I have a Dropbox account with two factor authentication enabled, and I store both my Dropbox password and OTP secret in 1Password -- thus both accessible by one factor, my 1Password master password. Assuming I have a strong master password, and my Dropbox password is strong and isn't repeated anywhere, is there any security to gain from using two factor for Dropbox?

Explanation / Answer

Yes, there is a slight security gain from having two-factor authentication (2FA) enabled on a site even when you store the 2FA generation/reset code in your password manager. In a scenario where the attacker can monitor your keystrokes or the credentials you're sending to the website but not download your password database, they would not be able to logon to your account with 2FA enabled because they wouldn't be able to determine your seed/reset code. It's not a common scenario, but a script kiddy might get keylogger software while not having the technical skill to find and steal your password database. A man-in-the-middle attack would also collect your credentials without having access to your password database.

A better solution would be to keep your 2FA generation/reset codes in a separate password database, locked with a password kept in your primary one and stored in a separate location. Then even someone with your password database and your master key will be unable to access your accounts protected with 2FA, and you'll be able to recover your accounts if your cell phone (or other 2FA device) is lost.

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.