BobaFloutist 6 days ago

Isn't that just remembering two passwords instead of one? And isn't two passwords instead of one basically the same as remembering one very long password?

For that matter, how do they prevent you from using the same password for both?

Reply View 4 replies
  • InitialBP 6 days ago

    https://news.ycombinator.com/item?id=44259556

    I posted another comment explaining why 1Password Vault with both a password and a OTP code is still secure, but in short it does not defeat the purpose. Your vault's are protected and in the situation where someone gets access to your vault it's most likely to be full access to your computer at which point they have other viable methods to get access to a specific service you use.

    Reply View 3 replies
    • jascha_eng 6 days ago

      Isn't the whole point of 2fa that if someone gets access to my computer they can't do shit because they'd need my phone too?

      Reply View 2 replies
      • InitialBP 6 days ago

        The “whole point” of 2fa is that even if someone knows your password they cannot login with just credentials.

        Compromising or stealing a device is a significant escalation from guessing passwords.

        Reply View 1 reply
        • 0cf8612b2e1e 6 days ago

          It is also more obvious when your device has been stolen vs just the password.

          Reply View 0 replies
unshavedyak 6 days ago

Well i'm assuming 1Pass is also storing the password. Ie if it's in the same place for your pass and token, it's 1FA, no?

Reply View 4 replies
  • dullcrisp 6 days ago

    No the two factors are something you have and something you know. Not something you have and another thing you have. In this case decrypting the vault requires two factors.

    Reply View 3 replies
    • unshavedyak 6 days ago

      In my view the factors are attach vectors. If i wrote both my token and my pass down on a single sticky note, it's 1FA. If i have them on two stickies stored in two locations, it's 2FA.

      Though i have no idea, that's just how i internalized it over the years. In your 1Pass example, it's a single attack vector (the password of my 1pass) to compromising both the token and the password of the product/server/thing.

      Reply View 2 replies
      • dullcrisp 6 days ago

        How many feet apart do the two sticky notes have to be before it’s 2FA? :)

        Reply View 1 reply
        • unshavedyak 6 days ago

          In the spirit of the idea, it would be the attack vector imo. So behind locked doors, buildings, safes, etc.

          Eg a hacker can access my computer, even have a clipboard/keylogger on my machine, and have a difficult finding my token if it's on my phone. They need to attack my phone and my computer.

          Having them both in your unlocked 1Password vault means if someone walks by your computer they can access your account. A single location with both of your "2FA". If they had a keylogger installed on your machine, they only need your single 1Pass password to breach your "2FA".

          Granted i imagine that a Phone TOTP would still be a concern with a keylogger on your PC, since you still enter it on your compromised machine. Still more difficult than the having the totp key though, of course.

          Reply View 0 replies