If the attacker got a list of passwords from a leak and your password was on it, the 2nd factor provided by the TOTP will still save you.
So, it just depends on your threat vectors. I’d rather people I support keep unique passwords alongside TOTP in a manager they’ll actually use than skip or use SMS TOTP because of a vague concern about targeted hacking of their manager.
If you're already using a password manager with secure randomized passwords, you're not vulnerable to credential stuffing unless that specific service had a breach. I suppose TOTP may still protect against unsophisticated phishing, but only as long as the attacker doesn't phish a TOTP code at the same time and pass it straight along to the service.
Are there other threats that TOTP-in-password-manager can protect against that the randomized passwords don't already?
>Are there other threats that TOTP-in-password-manager can protect against that the randomized passwords don't already?
tbh the UX problem of 2fa for "I use random passwords and am not vulnerable to credential stuffing" users is a pretty big reason to stick TOTPs in your password manager.
Security is always a series of trade-offs, and 2fa brings some hideous trade-offs in many sites (well over half only allow one at a time, for example, and then you lose access permanently). TOTP with a standard like this lets you choose, rather than the site choosing for you.
Right, and if an attacker can dump password hashes they can likely dump TOTP seeds as well. With that level of database access the attacker may be able to steal all your info from the impacted service, so talking about the password may even be a distraction since all your data is already stolen.
Yes. A bunch. Service accounts that need to be shared between a limited group of people.
TOTP + something like 1P moves this from
happy-monday-an-infra-engineer-left-time-to-rotate-100-accounts to something you can just do periodically as you like.
In practice the only widespread attack that either TOTP or SMS authentication help with is credential stuffing, and if you use a password manager to use unique passwords on each site you're not susceptible to credential stuffing to begin with.
Multi-factor isn't an end to itself, one strong factor is fine for most things. If your pw manager is good enough to not get tricked by phising, that's already better than most manually used MFA.
Some password managers do offer the option of challenge-response from a hardware key, but technically speaking the password manager vault file can be considered "something you have" so long as you store it securely, like your SSH private key.
The problem is that the vault file can be copied, which means this is now "something you and your attacker have". Even worse, it's not just the (probably encrypted) vault file: if your computer ever gets compromised, it is trivial to wait until you unlock the vault, at which point they can extract the now-plaintext TOTP secrets.
The way I understand it, the "something you have" factor is something which is intrinsically only a single item: either you have it, or you do not. If it can be copied, one of the copies could be compromised without you noticing - and because it's a copy you wouldn't even be able to revoke it without changing your own token too.
Yes, it's something you have, but it's not a second factor if you're storing your (randomized) password in the same place. If you do that it's just two redundant checks that you have access to the same single password manager vault.
Wouldn't you still need the password database, plus the password or whatever used to open that database? The two factors are related though (a good keylogger should be able to get both).
Doesn’t using your password manager as TOTP code generator reduce the number of factors back to 1?