I received an email from Evernote recently saying they were going to switch their security to use TOTP instead of SMS.
I’ve never done it before but it seems 1password can do it. Does anyone use 1PW for TOTP? Any drawbacks vs something like Google Authenticator?
I moved all of my TOTP stuff from Authy into 1Password awhile ago and it works great. They even send it to the clipboard after filling in your password.
+1 for TOTP in 1Password. It’s great and after you paste your username and password in, it auto copies the One time code for you onto your clipboard ready to go.
I use 1Password for TOTP, even though it’s no longer real 2FA.
More info: 1Password & 2FA: Is it Safe to Store Passwords and 2FA Codes Together? | 1Password
(I hope we soon can use passkeys instead of username/password/TOTP everywhere)
Thank you. I think I read that article previously but forgot about it. I’m always wondering how safe it really is when I use my phone number as 2FA because it just comes to the same device in the open. It’s super easy to use Safari in this way because Safari will fill in the code with one click from the Messages app.
Following the logic of that article, SMS as the authenticator seems ok: your password was secure until you unlocked 1Password. Once that is unlocked, the authentication is just confirming you have your device. Someone could intercept that, but it seems low risk to me. I might be wrong.
Alternatively, that article misses a key thing for me. Having the TOTP in a separate app means I can have 1P unlocked but still have the TOTP locked in Authy. This is maybe only significant if you don’t have 1P set to lock immediately.
Personally I have everything in one place, 1Password, except I have the TOTPs for 1P and Proton mail in Authy. The latter is because I use Proton mail for my banks, so I like the added security (even if it’s not necessarily useful).
It’s one of the weakest forms of 2FA (due to SIM swapping).
I do this with Bitwarden and used to do it with 1Password.
BTW, when I switched to BW from 1P all of my TOTP codes came over in the export / import process when using 1P’s .1pux export file format.
Thank you all for the help. I just successfully did it for one account. For those that like to see a video to understand how it works, I watched this. As simple as it is, I didn’t want to mess it up and this was ridiculously easy.
Nothing wrong with being sure before you act.
“Measure twice and cut once”