Curious to see what everyone here’s opinions of this is
Yes
The secure password isn’t only in your securely encrypted password database. You transfer it into forms, then over network, then you don’t know what happens on the other parties side.
Having a separate factor where you verify you have the second factor (preferably a separate device, physically separate) is an important and significant elevation of security.
On anything you deem high importance it’s warranted. Elsewhere it’s weighing security and convenience.
You’re describing a shitty password manager.
In my case I have a local copy of the encrypted password database, and my master password unlocks the encryption key for that, which is stored in a hardware dongle. Browsers and other high risk software are running isolated and have no access to the encrypted password database or the hardware dongle.
I mainly see two factor authentication as a way for service providers to be lazy about account protection on their side, which they try to outsource to me.
You seem to have misread.
Even in your case (which is included if not implied in my description) you send out your password to what you want to log in to. Which was my point.
Yeah, I assumed you meant the master password to the password manager.
Still, that falls under the duty of the page I’m visiting to keep their stuff secure - and while I’m very unhappy about some recent practices¹ I’d more for documenting and battling it out in court, if necessary.
¹ My browser configuration used to prevent 3rd party iframes or similar constructs for entering passwords - unfortunately in recent years some idiots decided that’s good design, so more and more often you nowadays have to allow embedding third party components without it being visible where it comes from.
Even worse, quite often credit card verification or other payment forms get embedded the same way. Until a few years ago my bank was throwing errors in their forms when they got embedded this way, but unfortunately they caved in to the general idiocy out there, and allow that nowadays.
that falls under the duty of the page I’m visiting to keep their stuff secure - and while I’m very unhappy about some recent practices¹ I’d more for documenting and battling it out in court, if necessary.
You seem to be ok letting others take responsibility for the security of your online accounts, and want to turn security shortcomings into legal justice. If that works for you then that’s fine, but it’s not good security.
A lot of current “best industry practices” - including the ones described - are grossly negligent. It also moves the burden of proof of responsibility for a security incident more in my direction - while providing me less and less means to prevent it.
With the iframe example - I nowadays typically can’t see if I enter my credentials (including potential 2FA to unlock a session) into a form belonging to my bank, or some malicious 3rd party without going into developer settings. That’s not acceptable.
There’s no good reason for a modern browser even allow this - just as there’s no good reason for allowing to load script files from arbitrary domains. But we now have the situation where the business model of the main browser developer depends on not stopping that kind of behaviour.
So what I want is that putting design over sensible security choices gets expensive for companies - and I’m not interested in adding some band-aid reducing their risk while this is not the case.
The only online accounts I care about are my bank accounts - for those I’m using hardware dongles for TAN generation instead of the shitty Android app their pushing (which would allow transactions without external auth, due to some “trusted device” nonsense). Everything else can either be replaced, or is on my own infrastructure.
Everything else can either be replaced, or is on my own infrastructure.
I’m curious, do you have accounts on other social media? Also, do you have any accounts on sites like shopping, government sites, etc.? And if you do, do you intentionally not use MFA (if it’s available) because you believe it should be those services making sure you are secure instead of you taking steps to make it harder to compromise your accounts?
Have you looked at it from this angle?: MFA is one of the steps that service providers are doing to be responsible with securing your account.
Security is a never ending game of cat and mouse, and the malicious actors are always a step ahead. There’s no such thing as being 100% secure, so both sides have to take steps to secure a transaction. If you believe security is 100% the burden of the provider, then we shouldn’t be using passwords and password managers in the first place, because the burden of having to maintain, secure, and memorize passwords shouldn’t be on the consumer. That’s great in theory, but not possible in practice, at least in the present.
It’s kinda weird that you like to have your own agency on things (i.e. own infrastructure) yet the minute you need to use a third party service, you let go and put everything on the service, KNOWING they are not doing a good job with it.
And if you do, do you intentionally not use MFA (if it’s available) because you believe it should be those services making sure you are secure instead of you taking steps to make it harder to compromise your accounts?
Yep. We can discuss me using a second factor once they start designing their services better.
Payment on such sites is set to require approval via my bank (hardware token), I don’t care about the purchase history - so if somebody manages to breach the account and order something it’s entirely their problem, not mine. I’m aware they might close my account when confronted with that attitude, but I’m also fine with that.
so both sides have to take steps to secure a transaction
My passwords are stored locally encrypted, with the encryption key stored in a hardware token. The browser doesn’t have access to that. That’s already more than a lot of sites are doing for their security…
yet the minute you need to use a third party service, you let go and put everything on the service, KNOWING they are not doing a good job with it.
That’s exactly why I treat any 3rd party service as throwaway.
I’m not sure if you’re replying on topic or opening other entirely tangential topics.
Duty of the other party is a duty, not a guarantee. 2FA is a safety net against negligence and mistakes. It still makes sense.
Yes. It prevents replay attacks.
Y…yes?
I, and so surely others, were like “wtf is a replay attack”. So I provided that for others.
Ahhh. Props to you, kind stranger.
Yes there is! Great you have a strong, randomly generated password. There’s no collateral damage (you’re having your password manager generate the passwords right?) So your other accounts are safe, you only have to rotate one password.
Well what happens for instance if someone really wanted access to your account? Say it’s a bank, a social media account, or maybe it’s just a game account for an MMO that’s super high value, you have a long and strong password, but let’s say the service’s security wasn’t quite up to snuff or you got phished and gave your password by accident (these things happen, it’s not your fault).
This is where 2FA comes in, if someone manages to break your password the attacker needs your phone, your security key, your fingerprint, etc… To prove to the service they’re you. By having 2FA on the account you’re increasing your defense in depth for your account. If you didn’t have it your account is as good as gone as soon as an attacker cracks or gets your password.
It acts as a second lock that needs to be picked in order to take over your account.
I personally add 2FA to all of my accounts I can, the highest security ones get added to my hardware token. The ones I don’t need as high security go into my password manager (which has 2FA enabled but only available via my hardware key).
Additionally as often as possible I try to use a unique email address for each service (simplelogin, addy.io, or similar, + based email addresses are easily bypassed) they all forward to my email but now you have to guess my email for the service (my own private domains, so not shared with anyone else) and what mailbox it ends up in. As a bonus you can disable emails that are sending spam or see who got breached based on the email.
Again defense in depth, a long secure password is great but that’s only relying on a single lock. By having 2FA you’re doubling your security so to speak by requiring that extra key in order to access your accounts.
deleted by creator
Do we REALLY know how many times? We only know how many times they have admitted to being breached.
I mean, I certainly don’t want to argue against 2FA, but some accounts are just …disposable, you know?
Like, if someone hacks into this account, obviously not great, but I’ll talk to the admins to get it suspended/deleted and then I’ll make a new one. It’s mostly just a minor inconvenience…
Don’t create 2FA for this account then. Only do it for the ones you care about.
Yes.
Because IF. If your manager is hacked, see LastPass, it provides an additional layer of protection.
This is kinda what passkeys do / are trying to do. You’re kinda just dropping the password and trusting that the MFA is secure.
So yes, password managers are good. Unique passwords are very good. And MFA is the icing on the cake
Imho
2FA will protect you if your password is somehow leaked or your password manager is compromised
Yes, because bad actors may be able to get ahold of passwords from your device or the service providers. MFA helps mitigate the risk of unauthorized logins in this event.
Yes.
The purpose of multi factor authentication is that it requires multiple factors, that can be:
- what you know (password)
- what you have (yubikey, phone with authenticator app, etc)
- where you are (in the office vs at home)
- what device you’re on
These are the most common examples.
Multi factor authentication is about having multiple factors for authenticating you:
Something you know (like a password) Something you have (with you - a hardware key, smart card or token) Something you are (biometrics, fingerprint, faceid)
So the idea is that you’ll have two points of identification.
But if you have your TOTP token and your generated password in the same password manager - that’s effectively only one factor of authentication.
If you’ve gotten this far you should probably consider a WebAuthn key like the Ubikey to be the “something you have”.
I would say technically yes, though the degree of value may be up for debate. Generating your passwords means they are hard/less likely to be guessed/brute forced. And means you won’t have one leak chain to others. But if they are brute forced or leaked somehow, MFA means you are still protected. Depending on the implementation the MFA may even prevent them from knowing the password was right.
Assuming that’s supposed to say 2FA, yes! They’re different things and one doesn’t replace the other.
2FA is an addl layer on top of your password, that doesn’t change because your password manager made it for you.
There’s no opinion there, 2FA on top of a password is more secure and smarter to do, there’s literally nothing to debate.
If you store them separately (or use U2F/WebAuthn/security keys), yes - it gives you some protection you if your password manager gets hacked.
If you just store them in the same password manager - no (except that some sites require it or create additional pains in the ass like forced e-mail based 2fa unless you have 2fa already).
deleted by creator