
2fa – A two-factor authentication agent - stablemap
http://rsc.io/2fa
======
regecks
Genuine question: To what extent is it a second factor if you e.g. have both
your password manager and your TOTP secrets on the same device?

~~~
miohtama
If it is a mobile device the chances that a remote access trojan can access
TOTP codes are low. iOS and Android have better security model compares to
desktops. This includes device encryption, password or similar by default and
sandboxing.

------
joeblau
I use 1Password for 2FA, but this is pretty awesome!

~~~
tptacek
Why do you bother? If 1Password is generating your passwords, you're getting
virtually no additional security from TOTP by having 1Password manage your
TOTP secrets.

~~~
joeblau
You actually do get additional security. A password (in my view) is
disposable. I already assume that every site that I have an account for has
been compromised so the passwords 1Password is managing are burner passwords.

In order to get access to my account you'd need to know my 1Password master
password (which is only in my head) in order to access anything that requires
MFA/2FA. If someone hacks Amazon, Coinbase, Twitter, Dropbox, Google, or any
other place and somehow figures out my password, they still can't log into my
accounts.

Now in the case that one of those services gets hacked and they get access to
more than user credentials e.g. all of the data/metadata; Then you're right,
having MFA/2FA is useless.

    
    
      - Password is for them
      - TOTP is for me

------
fullung
On this topic, shout-out to ykman oath (if you have a YubiKey).

