I have always done this.Mainly for convenience. However it has just occurred to me would it be safer to store my 2FA codes in a separate app such as Authy. ?
I store a couple in 1Password, but mostly use Duo Mobile, which has a nice Watch app, and can generate passcodes and respond to push requests.
If your password for, say, Amazon is compromised, then having 1Password generate 2FA doesn’t reduce your security, as the bad person would still need your 1Password password to generate the 2FA passcode.
If they have your 1Password password, you’re pretty much done for.
Definitely. 1Password copies the current code to the clipboard when you fill in the password so there whole operation becomes seamless.
Yes…but…my worry is what if somebody gets access to your 1password. Unlikely but not outside the realms of possibility. At least if you are storing the 2FA elsewhere there is some protection.
There are security reasons not to store your 2FA in your password keeping software.
But there are sanity reasons to store your 2FA in the same software you store your passwords.
Allowing texted 2FA to your mobile is in my opinion a worse security issue than storing Time Based one time passwords in 1Password.
I’ve been doing it for years and have no concerns.
I understand your thinking, and to a certain extent could agree.
But if the app is one the same device (usually phone) there’s no real security win.
If that one gets stolen having spread stuff around apps does not make you much safer.
I use 1Password myself. It satisfies my 2FA (or multi factor) needs because there’s a separate password to access the app, and I can get at the web interface in case my phone is lost.
I would define 2FA as having two items from this list:
“what you are”, “what you have” or “what you know”.
1P on my iPhone is my “what I have” and the password to 1P is 1 part of “what I know”, the other part being the password in 1Password to the site of app. (taking a little bit of liberty with definitions, I know…)
My touch- or face-id would be the what I am, but that’s secondary in this case because that is used to unlock 1Password.
In the case of 1P being compromised I would be far more worried about access to my email accounts than anything else. If someone controls those it would be trivial to reset your 2FA on your account. And in that case Authy would be useless.
(also; 1Password would probably contain your Authy protection pin/master pass anyway)
Storing 2FA info in 1Password doesn’t bother me.
I assume hackers are more interested in stealing my info in a batch with several million other users’ by compromising bank servers, etc., than they are interested in taking the time to hack into my or someone else’s account one-by-one.
Ahh, but wouldn’t it also be used to unlock a separate 2FA app? Or are we suggesting using a manual password on the Duo or Authy type app?
I’ve been storing 2FA in 1Password as well. I don’t really have any worries about it. 2FA is not a complete solution either and comes with its own risks. I trust the code in 1Password way more than having it texted to me, which is the only option some sites offer. That said there is always a degree of risk and never complete unhackable security to begin with. You have to balance security, risk, and convenience no matter what.
I store my 2FA codes in 1Password except for my 2FA code for my 1Password account, which is stored in Authy.
The daily practical usefulness of 1Password auto-filling 2FA-codes outweighs any concerns I have about putting them in the same place, and even if someone did manage to get my Master Password and my 1Password.com account key (both of which are highly unlikely), they still would need to get my Authy 2FA code before they can get into my 1Password.
1 Password works well and the convenience is great. For accounts that really matter I recommend a hardware token.
For a totally unconventional idea, I rarely use 2FA and do not enable it on most things. I do not store the few 2FA codes I do use in 1PW either.
There is no point in storing 2FA codes since they expire, usually in 30 seconds.
Having a 2nd factor authentication significantly increases the security of an account. Even if it’s Only via sms witch has a risk of sim swapping.
Not having all eggs in one basket is a valid concern. So using an outside system makes sense for hi risk accounts. In witch case I advocate for a hardware token if possible.
My admittedly high-effort work-around to the SMS-only 2FA is this: I created a separate gmail account and Google Voice # for SMS-only 2FA and set text messages to be emailed to one of my primary email addresses. Imperfect for sure, but at least I’m not giving out my personal cell phone number.
High effort and imperfect, maybe. But an interesting solution to giving out your cell number. I often wonder as I fill in that field… My hope is that these are not the companies that sell or spam my phone number.
Why not do both?
I have several 2FA in Authy and 1Password. The ones I hate are the ones that only offer sms, which is terrible for many reasons.
There sure is, because no one is ever getting in to my device.