top | item 40888407

(no title)

mt42or | 1 year ago

It is really a bad article. Instead of making things easy to understand it makes things more complex.

Factors are : Knowledge (password), Inherence (biometrics) & Possession (device).

If you have multiple same factor it remains single factor.

1password itself is only one factor for authentication whatever they offer (password, totp, passkey).

discuss

That's not correct, at least depending on your threat model. Having a password stored + totp in a password manager does give the advantage of protecting you against the loss of the stored password itself.

Specifically with 1password I have all three factors you've mentioned above. 1) knowledge - my vault password is memorized, 2) inherence (?) - biometrics used to unlock the vault on trusted devices, 3) possession - my account requires a security key to unlock.

microtonal|1 year ago

Having a password stored + totp in a password manager does give the advantage of protecting you against the loss of the stored password itself.

Which becomes far less relevant when using a password manager, because people don't reuse passwords anymore. Password managers also autofill, so eavesdropping on a password is also not possible anymore. One of the primary vectors for compromising passwords is compromising the password manager, which would also compromise the TOTP codes if they were in the password manager. You have much stronger protection against that if your TOTP codes are stored on a separate device.

That said, TOTP is also pretty terrible because does not really protect against phishing (just make a phishing site proxy both credentials).

Hardware keys are the only really secure solution if you consider password manager compromise as part of your threat model.

Remember that password managers are comprisable, just look at LassPass' history.

adastra22|1 year ago

...how? Loss of the stored password would mean loss of the TOTP too.