Congrats on launching and building something. Unfortunately I think this is very bad for security. We have seen numerous accounts take overs from iMessage and sms based 2fa. This makes it even easier. I also don’t understand why password managers are starting to support storing totp. It is a terrible idea.
LelouBil|1 year ago
Having the totp seed inside a password manager doesn't break this goal, so I'm fine with it.
Of course it means if my password manager gets hacked, there's everything to log in inside, but I'm more concerned about services leaking password hashes that get broken, or accidentally getting phished (and giving up a password + totp combo that can only be used once) instead of my password manager being hacked.
dylan604|1 year ago
kstrauser|1 year ago
1Password's had this for many years now. In a perfect world with users who followed the rules perfectly every time, a separate TOTP gadget is clearly better. In this world, a slightly less secure TOTP system that's convenient enough that regular people actually use it is vastly better than a perfect system that gets worked around.
Analogy: NIST says to stop requiring periodic password rotations. In dreamland, users would use their password manager to create a new, ultra-strong, unique password every time. In reality, people tired of the rotation treadmill go from `SecurePassword!202406` to `SecurePassword!202407`.
As a component, a separate TOTP generator is better. As a system, an integrated one is more useful.
dheera|1 year ago
immibis|1 year ago