I am not sure I worded the title of this post correctly.
What I’m trying to figure out is how to set Password / Keychain up so that two factor authentication codes that I have already set up in various accounts are sent automatically to the Password / Keychain app. Based on this article, I believe I understand how to set this up for new accounts, but I don’t know how to get the codes to go directly to the Password / Keychain app for accounts that have already been set up with two-factor authentication. Currently, all of my codes are sent via text message. My understanding is that is not best practice. Any assistance will be greatly appreciated. Thanks!
You need to sign into each account (presumably on their site) and reconfigure 2FA for each account. If the site allows you to configure multiple authentication options, then select the “add” option and set up a new key (you may optionally delete the previous configured text message option or leave it configured as a fallback). If the site does not allow multiple types, then you will need to turn off “text message codes” (or whatever that specific site call it) for that account and then enable a new key. Note that there may be some sites which do not offer the key option, in which case you will need to continue using the codes sent via text message.
For sites which support multiple options, you need to select one as the default. Whichever is set as the default will be presented to you when you attempt to sign in. If that fails for some reason you will likely be presented with the option to use one of the other configured options. So make sure you have the one you want to use as the default. Of course, if the reason for doing this is to tighten security, then maybe you don’t want text messages as a fall-back. In that case, be sure to delete that option on the site.
Nearly all of my online accounts that offer 2FA have already been set up with 2FA. That is far too many accounts to redo. In the future, I’ll probably add any new accounts to Password / Keychain. I’m hoping that Passkeys will be more widely adopted and at a faster pace.
I would still recommend switching to app-based 2FA/TOTP keys gradually when you have time. Maybe do a couple of accounts every now and then? I have just manually moved over 70 accounts from Authy to another app, which is essentially the same process as the one you face, and it took me about three hours. 2FA over SMS is less secure and is potentially more prone to SMS spoofing attacks.
To move accounts to iCloud keychain (or any other 2FA app), one needs to copy the initial seed (from which all the one-time passwords are generated). You are offered a long string along with the QR code when initially activating 2FA for an account – that’s the seed. If you don’t store it safely, or if your 2FA app does not allow export, you need to re-enable 2FA for that account to get a new seed because you no longer have a record of it.
Sadly, many 2FA apps do not allow the export of the seed (this includes Authy and Microsoft Authenticator – I don’t use 1Password, so I don’t know whether it has that ability).
I exported 1Password to their unencrypted .1PUX file and imported into Strongbox. Three (of 3) TOTPs exported; two of three worked. The third generated TOTPs but it was not correct.
