Using a password manager for MFA/2FA

I currently subscribe to 1Password and can’t imagine using the internet without it. I used Google Authenticator for 2FA when it was released and recently moved to Authy for better cross-platform support as well as apple watch integration. One of my coworkers was talking about using 1Password as a replacement for Authy and that got me thinking about switching. My questions are:

  • Do you use a password manager for both username/password and MFA?
  • If so, which password manager and how reliable has it been?
  • What app do you use for MFA and how do you handle joint accounts with a partner/spouse when using MFA?
  • Should I be concerned about potential security threats by having all forms of login within the same service?

The idea of having one system is such a temptation to me, but I don’t want to throw away what I consider decent online security just to do the easy thing. Any thoughts or insight would be greatly appreciated!

I use 1Password for both passwords and 2FA. I use the family plan and share those logins with my spouse.

2 Likes

I use 1Password to store login credentials as well as the 2FA code. I am on the family plan.

It has been very reliable.

1 Like

@JoePreiser @ronguest when you share the 1password login does it also share the 2FA code? I’m thinking that would be a good way for my partner to access sites without having to find my phone

Yes it does. The shared entry can do 2FA.

1 Like

The 2FA code is just another field in the login entry so everything in the entry is shared with whomever you share it with.

2FA is not actually that impressive when you find out how it works. You have a code generated at random by the service you’re logging in to. The QR code you scan contains that code. Then both the service you’re signing in to and your authenticator app/1Password use the code plus the current time to work out a 6 digit code. Both ends come up with the same code at the same time so if your computer has the wrong time set you have the wrong code until you fix the time.

Anyway, about putting your 2FA and your password together in 1Password and wondering whether that’s less safe than having it separately. There are a number of points to remember when deciding if it’s right for you.

  • 1Password also has two factor authentication because you need to know your master password and the long code they gave you when you signed up so someone can only get in if they have both.
  • If someone got in to your 1Password wouldn’t you be thoroughly screwed anyway?
  • How secure are the other forms of 2FA? If you can bypass the code with a text to your mobile for example then they don’t need to steal any hardware from you at all.
  • Your 2FA code on an iPhone is only protected by the security your phone offers if someone steals your phone. So if you’re using a 6 digit code, those can be broken in a few days of effort then they have your codes at their disposal.

I also like that in 1Password I can access my 2FA code anywhere I can sign in to 1Password. Google Authenticator is a single device solution which means you ARE eventually going to lose access to your accounts if you rely on that alone.

3 Likes

On the topic of security, I would say its just as secure as the other methods. Most people keep there 2FA app on the same device as there password manager. Even worse is that 2FA apps like Google Auth don’t even have a password or even encrypt or better yet they don’t back it up the data. So long as you have a strong and long password for 1Password you should be fine.

Honestly, you should be better than fine because of the ease that 1Password brings for using 2FA will make you use it in more places thus making you even more secure. 2FA on 1Password is so good its almost like you don’t even have it.

2 Likes

For those that store 2FA accounts in 1Password, but also protect 1Password itself by 2FA (TOTP): what App do you use to store/display that 2FA code? (To make sure you don’t lock out yourself)

@rob I ended up storing it in 1Password (in my 1Password item) as well as Authy. Authy really only as an extreme last resort due to the amount of devices I have 1Password already installed.

1 Like

I’m considering that as well.

Do you protect Authy by a password? And where do you store that? (It never ends :wink: )

@rob I have a backup password for Authy which is on my 1Password emergency kit in a fireproof/waterproof safe at home, and I have a copy in my safety deposit box at my bank.

I also have a family plan and share my 1Password account item and Authy item with my fiancée in case something happens to me, and she needs to get into any accounts.

1 Like

1Password (w/ subscription) for password management and I’m migrating my 2FA stuff from Authy over to it very slowly.

Someday I’ll move up to the family plan and get my wife on board with 1Password.

1 Like

I spent a majority of the weekend migrating from Authy to 1PW and I have to say the ease of use now was well worth the time spent changing. I also found of bunch of sites that I didn’t have 2FA enabled that I added. Appreciate everyone’s feedback! It was the motivation I needed to switch!

This was one of the best things I did for the online security of our family. It finally got my wife off of using the same password for every (web)service. Plus having a shared vault for logins that we both need access to prevents having needing to keep the administration up to date in multiple locations.

1 Like