WingNews logo WingNews
top | item 18744332

(no title)

reconbot | 7 years ago

I was having an argument over 1password's 2fa support not being a second factor. (I don't think it is.) However, it is so much safer than not using 2fa. In similar terms U2F is amazing and keeps you from being phished and has a great challenge/response protocol, if that was implemented in 1password (or browsers themselves thank you!) we'd all be a lot safer than not using it at all.

In 2018 I'm using an app to take screenshots of QR codes to generate one time codes. It's a sad state of the art, we need to do better.

discuss

order

aasasd|7 years ago

Afaiu 2fa primarily protects from password leaks on the part of the service and coincidentally some other kinds of leaks such as keylogging. Not so much from data theft on the user's side.

A different question, though, is whether a password keeper web service could leak passwords like any other service.

chimeracoder|7 years ago

> Afaiu 2fa primarily protects from password leaks on the part of the service and coincidentally some other kinds of leaks such as keylogging. Not so much from data theft on the user's side.

2FA is meant to protect primarily against phishing. It happens to protect against some other attacks as well, but phishing is the primary motivation.

That's why physical U2F devices are considered the gold standard of authentication today - it's possible to phish a TOTP code, but it's very difficult to phish a U2F signature, and impossible to do so through a scalable, automated attack.

seppin|7 years ago

> (I don't think it is.)

If your master password is someone exposed, then nothing really protects you.

matwood|7 years ago

This is not true. 1Password could have a breach which exposes your master password. A hacker would then have access to your passwords, but not your 2fa. Even if you do not keep these items physically separated like a hardware token, it makes complete sense to have them be in different applications. For example, passwords in 1Password and tokens stored in Authy.

dev_dull|7 years ago

Wouldn’t an 2fa device (such as an otp token) actually protect you in this case? They have your password but not your otp generator.