Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> But also, in such setup, the security benefit of 2FA/OTP codes are negligible at best since there are no conditions under which only one factor could be compromised without also having the other factor leaked (assuming you're using unique passwords for each identity, which is the entire point of a password manager).

Phishing and good ole fashioned human error are two methods by which a password can be leaked without exposing the 2FA token.



In such a setup where the second factor is a TOTP I would count on the attacker being successful at phishing that too.


I previously thought that we were just having a difference of risk tolerance, but if you think some rando can _phish_ a TOTP secret, we are not even in the same universe of risk mitigation

> Hello, dear sir, this is the USA IRS and we are going to send the FBI because your TOTP code is expired and are going to put you in jail if you don... hello? hello?!

> Click this link and paste in your TOTP secret because we need to verify your identity: https://1passsword.com/2fa-verify/


For passive phishing (e.g. setting up an identical website to the real one) stealing a valid TOTP token is trivial and such campaigns have already been spotted in the wild [1]

> if you think some rando can _phish_ a TOTP secret

Given the context this discussion is about (someone with a 1Password vault, storing unique passwords and TOTP secrets for each account they have) do you see any scenario in which a user gets his password stolen but not the token (or the OTP secret seed altogether)?

> Hello, dear sir, this is the USA IRS

If an attacker via a phone call is able to get the victim to (a) unlock their 1Password vault, (b) spell out their password for account X, what makes you think they couldn't get them to also (c) open their 2FA app and spell out their TOTP token?

> I previously thought that we were just having a difference of risk tolerance

The point I was making is that there are no security advantages to setting up a time-based OTP as a second factor for authentication if the secret seed is going to be stored in the same vault where the passwords are: might as well just forego this TOTP setup altogether and save the extra hassle. Or get a hardware second-factor (TPM, Google Titan, Yubikey, ...)

[1]: https://www.zdnet.com/article/new-tool-automates-phishing-at...




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: