You are better off security-wise with 2FA enabled than without it (for the phishing-related reasons mentioned in TFA - EDIT: taviso is correct in their comment, it's more about protection against credential stuffing than phishing), regardless of where you put the codes, so if being able to put the codes in your password manager is going to be the difference-maker in someone electing to use 2FA, they should do it.

It's the same idea with using a password manager in the first place - if a password manager is going to be the thing that gets you to use secure passwords that vary across services, it's worth the tradeoff of having all of those passwords in one place, because you're much more likely to be compromised by a bad password than by a password manager leak.

The reason I store 2FA codes in my password manager is as a protest to companies forcing me to have a 2FA. I don't want to be randomly locked out of my google account due to not having a usable 2FA, and I also don't want to depend on having a single device be always available to provide the codes.

In practice, I feel the main reason 2FA is popular is because people cannot be trusted to create unique and secure passwords for every service. The phishing-resistance is nice, but I'd prefer it being the only credential, and just having it be autofilled (making it longer to combat bruteforce), like what we currently have with password managers...

Here's to hoping passkeys turn out any better.

I store 2FA keys in a fingerprint protected Aegis vault on my phone, and I periodically export an encrypted (with a master password I remember) backup that I then email to my parents.

I get their argument that 2FA makes phishing more difficult, but I disagree that it's its "primary use", or that the distributed factor is unimportant. I personally wouldn't feel comfortable having all my important accounts behind Bitwarden's single point of failure. 2FA for important accounts mitigates the damage if my Bitwarden is broken into.

I'm not familiar with the expert they consulted, but the claim that "The main advantage of 2FA is that it is much more difficult to gain access to your accounts via phishing attacks" is just plain false.

TOTP or SMS-2FA are obviously phishable, if you just entered your password into a phishing site, why wouldn't you also enter a TOTP code? I usually point to Modlishka as a practical example (https://vimeo.com/308709275) to help visualize this.

In fact, the main (claimed) advantage of 2FA is that it prevents "Credential Stuffing" of reused passwords. I personally don't think TOTP (or similar) are a good solution to this problem at all, but this is a thorny issue.

It's better than not having 2fa, but a breach to your password manager would give any attacker full control over your accounts.

A better approach would be to split in two solutions where you store passwords and 2fa keys.

I use bitwarden for passwords, but save all 2fa in aegis. These two have different 5 word passphrases prefixed with a regular 8 char password to increase entropy. I save a backup of the 2fa db to a replicated storage with a synthetic password. For bitwarden I delegate persistence of the data to bitwarden, but it would make sense to take encrypted backups regularly.

The disaster recover protocol is to have a smaller 2fa encrypted database printed in paper. I know the password to this db. Recovering this DB gives me access to bitwarden and the cloud storage, which gives me access to the rest of my password and keys.

I disagree with the experts here. There was and is absolutely nothing wrong, and quite a lot right, by having the 2FA program completely separate from your password vault. At best, this is a lateral security trade-off that you are paying them to provide. View the 2FA feature from a software marketing and sales lens. Can you see how it's just feature creep, driven by competition doing the exact same thing?

More generally: the world would be a better place if most people relied on password managers. If you can do it reliably, using any password manager, even the one built into your browser or OS, is better than not using one.

The problem is that it requires a certain amount of good hygiene when it comes to computer equipment. There are many people who are bad with computers, who don’t have phone backups and lose their phone, who will share accounts and devices, and so on. The result is an insecure mess.

So, solving the “people should use a password manager” problem requires solving all the other issues surrounding how non-technical people use and misuse computer equipment, so that having a password manager and not losing the essential data stored in it becomes the default.

For some people, it would probably be safer and easier to write down your passwords on paper, in a notebook. Other people will lose the notebook, or have it stolen from them. There are similar but more complicated issues with holding onto computer devices.

Important to note that not all password managers are equal. Using Apple’s built-in password manager is more secure because it is inherently tied to your biometrics and authentication is hardware-based, i.e Secure Enclave. This is categorically different from web services like Bitwarden or 1Password authenticated by login email and 2FA codes. Even if someone got into your Apple ID they still would be unable to view or sync your passwords without biometrics.

I had my password manager compromised by a business partner. I added him to my 1Password account and then, in a play for control of the company, he attempted to remove me. Lesson learned: don't try to save money on password managers.

If all of my 2FA code generators had been in 1Password I would have been truly screwed, but in a stroke of luck I had been paranoid enough to use a separate app for 2FA codes.

Because there's a trade-off between security and convenience.

People advocating against storing 2FA codes in the password manager are correct from a purist perspective, but not from a pragmatic perspective if you ask me.

If my device is compromised, along with my device's password, as well as the password manager's password, then yeah... I'm screwed.

As long as I keep my devices up-to-date though, I believe the highest risk comes from state-sponsored actors. I've chosen convenience, and I've made my peace with it.

It's interesting how many argue that putting 2FA codes into a password manager is wrong because you combine 2 factors into one (not don't fully agree with that reasoning), but then are happy with passkeys. How are passkeys better?

I think it's a terrible idea, because it dramatically decreases the attack surface area needed to compromise accounts. 2FA is supposed to be "something you know' and "something you have"; putting your 2FA seeds into your password manager reduces your 2FA to "something you know", and, significantly worse, it's "something you know in the same place as the other thing you know".

The time-variant component is still quite valuable, but it does nothing to protect you in the event of a password manager compromise. This is not a hypothetical; LastPass has suffered multiple breaches, and the more popular a solution, the more likely there are to be attacks against that solution. By keeping your 2FA separate from your password manager, even if it's still just "something you know", it's something you know in a location that's orthogonal to your passwords. If I yield to convenience and use a 2FA desktop app, then now, instead of just attacking my Bitwarden install, you have to successfully attack my Bitwarden install and my 2FA desktop app install to get access to my accounts, and the combination of password managers * 2FA managers is a substantially larger attack surface and requires a significantly more sophisticated attack to get both pieces.

The arguments in the article come down to "well, 2FA mitigates phishing attacks" (true) and "Google Authenticator means you can lose your data easily" (also true). But neither of these is a good argument for why the data should be kept together. It just means "use 2FA", and "use a 2FA manager that lets you directly manage your seeds and keep offsite encrypted backups".

If you can't be bothered to do it properly, then 2FA codes in your password manager is certainly better than not using 2FA at all, but that just makes it a less terrible solution, not a good one.

The first reasoning basically summarises to "storing 2FA token in a password manager protects against phishing because the TOTP token won't be autocompleted on the wrong domain".

Any decent password manager would avoid autocompleting the password on the wrong domain in the first place. I.e.: it will already protect against phishing attacks anyway.

1Password's documentation use to have a whole article about how bad an idea it was to store TOTP in a password manager — but their stance completely changed at some point. Around the same time they started _recommending_ that you do so, and presented it as a key feature in the marketing material.

---

Personally, I think that the only valid reason to store a TOTP secret in password manger is when you don't really care too much about an account (e.g.: prefer convenience over security), but the website demands that I set up 2FA.

The author of this article is unaware of the possibility of an audience who has no idea what the use case looks like for a short temporary token to be stored in a semi-permanent store like a password manager; what does it do? How does the token get there, and how is it used? Does the password manager infrastructure have access to the stream of tokens so that it populates the latest one, and fills it in for you when you're authenticating? Obviously any manual step in handling the token via the password manager will be worse (or no better) than just entering the token manually into the authentication dialog, so it has to work that way?

Related: Why is it a good idea to store 2FA tokens in 1Password?

https://1password.community/discussion/comment/496555

Using 1Password requires me to use one of my devices to add a device to my account.

If someone has my password and my device how will a separate app help me in this case?

Honest question as the 1password model seems to be “something you know and something you have”.

One of the risks of 2FA is losing access to your accounts after losing the authenticating device. Backing up the 2FA seeds mitigates that risk. The backup needs to be encrypted with the password remembered and stored somewhere. Sounds like it’s a job for a password manager, preferably in an offline local password manager with a different database.

Ultimately, you have to store your backup codes somewhere. So the only solution besides using your password manager is using a second password manager. Or not using a password manager to save off your backup codes, which has its own disadvantages.

There's lots of cases where 2FA reduces to 1FA. E.g. logging into a website on your mobile phone, and getting your TOTP or SMS code on that same phone. In fact-- that case is so common I wonder if we should just get more used to the idea of 1FA, with smartphone passkeys/biometrics/SSO being the auth factor. As it stands, if you compromise someone's smartphone (and have their smartphone PIN), the odds are great you can autofill any password you like on their phone and pull up any needed 2FA tokens as well.

IMO the real advantages of 2FA are threefold:

1. The key is generated by the server, not the client (human), so it cannot be reused like a password.

2. The authentication is temporally bound, so phishing only offers access for ~30 seconds, unlike a password where it provides unlimited access until someone changes it (never unless forced in practice).

3. It's literally required for many services, so you need to use it. The alternatives to storing your secrets in your password manager are keeping them on your phone (which is how most people log in anyway, so its already becoming a single point of failure) or using something like SMS 2FA, which is even worse as SIM jacking is pretty trivially possible on most providers.

The primary reason I used 1password + 2FA at both my business and in my family is really simple: 1password creates a shared 2FA process. That is, I can create a 2FA login that someone else in my team or family can also access.

Good advice in this article. Keeping TOTP in a good password manager removes risk of making mistakes with the codes by tying it to the same auth sequence as the password. The assurance that the codes are securely stored, easy to use and to establish on a new trusted device lets services be used confidently which don’t allow vulnerable bypassing of credentials with easily purchased proofs (SSNs, street address etc.)

Backing up TOTP seeds encrypted is a good idea if you know what you’re doing.

It is a security-improving move when humans are factored in, not a trade-off between security and convenience.

This might not be solution for everyone but wouldn’t the best protection to use two separate password managers? One for passwords and the other for the TOTPs?

I wonder why service providers don't have it already. They could even help ensuring that the passwords are different and provide some interoperability between both vaults (e.g. TOTP on mobile device is passed to PC password completions)

I really wish we could store passkeys and totp in bitwarden where access always goes through a server side KMS.

Currently, bitwarden stores these encrypted, but they are unlocked with the rest of the password manager.

For now I'll stick to yubikey for 2FA.

But I wish I could use bitwarden as a layer of abstraction, such that bitwarden would always require my yubikey before allowing any of the passkeys or totp keys to be used.

Maybe there’s a language issue here… but would any saved 2FA code be expired the next time you retrieved it from your password manager? They’re generated for one-time use and have an expiration, right?

Or, when the author says “save the 2FA code” does he really mean “use the password manager to generate the 2FA codes”?

The point here, I believe, is that 1Password will only prompt you to enter the 2FA code if the domains match, same with the password. Your point that if you've already decided to enter your password then entering the 2FA code isn't much of a hurdle is sound, but from the perspective of a user of 1Password, it is indeed very surprising (and rare!) when I try to log in to a page and find that 1Password won't show my log in because the domains don't match. It happens, usually due to some cross-origin login flow, but it's rare. So I think the claim isn't false, it's just based on a premise that might not factor in for different people.

I think their point was that it's less phishable from the perspective of needing the attacker to try logging into the site with it in realtime instead of being able to just store the password for some later time. The needed concurrency makes it more difficult (if only slightly).

I'm curious though why you don't think TOTP or similar are good against credential stuffing though, would you be able to expand upon that?

Same here. It seems like they are very narrowly optimizing for the extremely rare case of a person who simultaneously:

A) Is fooled by a phishing attack

and

B) Is not fooled enough to manually copy-paste credentials from their password manager after noticing that the autofill didn't work

Does a person like this exist somewhere? Sure, if you interview 1 million people, I'm sure you will find 1 person like this.

It is very, very strange to me that the security "experts" are narrowly optimizing for this specific user and downplaying all the risks related to their recommendation.

The most common 2FA mobile app that isn’t a password manager is Google Authenticator.

Google Authenticator doesn’t export the seeds or store the seeds in the device backup, or sync them, so when you lose or upgrade that phone, you lose all your TOTP. This is bad.

Also, TOTP in general is bad, because it is easily phished, just like passwords. Using a password manager to store TOTP cuts down on phishing risk as it won’t input them into the wrong domain site. Copying them manually from a different app is still vulnerable to phishing.

> There was and is absolutely nothing wrong, and quite a lot right, by having the 2FA program completely separate from your password vault.

Did you read the article? That's what they say.

> For maximum security, you can store your 2FA token elsewhere ... but for general purpose use, storing your 2FA in your password manager is an acceptable solution due to the convenience benefits it provides.

While it’s regrettable you had someone you trusted betrayed you, the lesson is more of never share your password manager with others.

Wild! Would that actually work in the long run? It could cause you a lot of trouble, I’m sure, but it seems like if you have any legal documentation, a lawyer would easily fix it. And it seems like it’s probably illegal to try to remove someone without consent or authorization, so it could potentially backfire pretty hard for him?

I know this happens sometimes, and I’m thankful my partnerships have never gone this bad. Did you know it was headed this direction before he tried it? Was that the end of the company?

I'm sorry this happened to you, but it highlights another very important factor. Don't keep all keys to the kingdom on one person. Always divide and conquer. Keep power distributed between multiple people. I worked at a company of 500+ people, and I'm sure the CEO didn't have access to all the IT people's stuff. They only cared that everything works and meet their quarterly goals. Shall the IT person feel like sabotaging stuff, there are distributed backups and mainly the fine print in the work contract preventing that.

I know this doesn't necessarily apply to smaller companies and startups, but have lawyers write you strong contracts that aren't one-sided, but are full of protections for both sides, if they aren't sabotaging stuff.

That’s harrowing.

If any journalists are lurking in this discussion, this would make a decent article.

Putting your 2FA into your password manager doesn't "reduce" it to "something you know". It proves it was "something you know" all along. If it can be put into a password manager, it's "something you know", regardless of what the intention is or was. Intentions don't drive what things actually are.

On a related notes, "passkeys" are also "something you know" for the same reason.

However, that does not mean that TOTP codes are useless. Not all "something you know"s are created equal. However, I shamelessly put my TOTP codes into my password manager. Just because some people mistakenly identified it as "something you have" doesn't mean I need to pretend they are correct. It just inconveniences me for no security gain.

If my primary device is compromised and my master password is compromised and the device that I use for second factor authentication into my password manager is compromised then the secondary device that I could use for 2fa codes is compromised. For most normal people, storing second-factor codes in Bitwarden alongside passwords is marginally worse at worst, and inconsequential at best.

Yes, if you use a bad password manager that is fundamentally flawed (like LastPass) then all bets are off but that's not an argument against the principle of storing 2fa codes alongside passwords in a password manager.

I doubt there's a single Bitwarden user on earth who has ever suffered a security incident because they store their 2fa codes in Bitwarden, that's how inconsequential this risk is.

Unconventional opinion here.

Passwords in the password manager are not "something you know" anymore. They are "something you have". So, no matter whether the TOTP codes are stored in the same app or a separate device, you can no longer properly call them 2FA. It's 2x "something you have" in either case.

EDIT: user "jerf" in the same comment thread says that it is 2x "something you know". The distinction whether something stored counts as "something you know" or "something you have" does not really matter. In either case, it is 2x the same type of a factor. --END EDIT.

From the "difficulty to compromise something" standpoint, you are, of course, right that storing the TOTP seed in a separate device is better. But look, this is not the primary reason why websites need to implement TOTP. The very fact that hackers need to compromise your device in order to get access to your account is already indicating a higher-than-usual security level, even without 2FA, and the article fails to notice this. Besides, the article only presents a user-centric viewpoint, while the viewpoint of a website owner would be more relevant here.

The main problem solved for real by TOTP is that users select stupid passwords like "Zhong+wen" that are guessable yet still pass complexity requirements, or reuse passwords on multiple websites (and your website cannot check for that), thus enabling compromise of the user's account on your website if another website gets hacked.

The main security reason (from the website viewpoint, not from the user's viewpoint) for TOTP introduction is, thus, to introduce a high-entropy factor which is (unlike a password) not chosen by the user, guaranteed not to be reused elsewhere, and thus cannot be guessed or compromised without access to the user's devices. This benefit is not invalidated by you storing the 2FA secret in the password manager.

Doing it properly is the key part I think a lot of people miss.

People often skip out on actually assuming responsibility for their data and accounts. A backup system should be in place and ensuring their 2FA codes are not lost with their device is part of that taking on responsibility.

You speak as if 2FA were something that most people use willingly and not just something they put up with because they're forced to.

> it does nothing to protect you in the event of a password manager compromise. This is not a hypothetical; LastPass has suffered multiple breaches, and the more popular a solution, the more likely there are to be attacks against that solution.

You can mitigate this risk by not depending on your password manager app to do cross-device sync..keep a file on Dropbox/OneDrive/iCloud Drive/SFTP/etc and use an app like KeePass/Strongbox/etc that just deals in managing credentials.

My KeePass file storage provider doesn't know what the hell I store there because it's encrypted (I hope there are no known issues with KeePass's crypto)

As a bonus, you can keep offline backups to mitigate other risks like house fire, lightning strike induced EMP frying things (happened to me), storage vendor goes out of business, and more.

-------------

I think in the end, there is no universal solution - you really have to try to be reasonable about estimating your own personal threats and risks (such as asking "am I more likely to suffer a password manager compromise or more likely to break a device?") to decide whether to keep 2FA next to passwords or not.

> But neither of these is a good argument for why the data should be kept together

The argument is "because many people, if they can't keep the data together, will elect not to use 2FA at all if given a choice."

I guess that would depend on execution. If your password manager uses strong encryption and you also use MFA for it (a yubikey for example), I imagine it isn’t all that less secure. Your point still stands, however.