I disagree with the experts here. There was and is absolutely nothing wrong, and quite a lot right, by having the 2FA program completely separate from your password vault. At best, this is a lateral security trade-off that you are paying them to provide. View the 2FA feature from a software marketing and sales lens. Can you see how it's just feature creep, driven by competition doing the exact same thing?
Same here. It seems like they are very narrowly optimizing for the extremely rare case of a person who simultaneously:
A) Is fooled by a phishing attack
and
B) Is not fooled enough to manually copy-paste credentials from their password manager after noticing that the autofill didn't work
Does a person like this exist somewhere? Sure, if you interview 1 million people, I'm sure you will find 1 person like this.
It is very, very strange to me that the security "experts" are narrowly optimizing for this specific user and downplaying all the risks related to their recommendation.
In my previous company we hired a startup that did security training, that recommanded everyone use a password manager. And one of their test was that they sent a fake phishing email to people (randomized over a couple of months so not everyone would get it the same day).
I don't remember the exact number but something like 30% of people who didn't use a password manager got caught. Basically no-one using a manager was.
Granted there might be some selection bias (people who had managers were probably already slightly more security conscious), but people were feeling slightly embarrassed to have been caught and it worked great to have everyone do the switch. And everyone remembered after that that if it doesn't autofill, something's amiss.
The anecdote provides evidence for people that are initially fooled by a phishing attack but aren't fooled enough to manually copy-paste credentials when autofill doesn't work.
Your argument about 2FA depends on how many of those people there are.
Therefore the anecdote is quite relevant, indirectly.
The most common 2FA mobile app that isn’t a password manager is Google Authenticator.
Google Authenticator doesn’t export the seeds or store the seeds in the device backup, or sync them, so when you lose or upgrade that phone, you lose all your TOTP. This is bad.
Also, TOTP in general is bad, because it is easily phished, just like passwords. Using a password manager to store TOTP cuts down on phishing risk as it won’t input them into the wrong domain site. Copying them manually from a different app is still vulnerable to phishing.
> Google Authenticator doesn’t export the seeds or store the seeds in the device backup, or sync them, so when you lose or upgrade that phone, you lose all your TOTP. This is bad.
FreeOTP+, available on FDroid [1] provides for import/export of one's stored codes.
The problem with "phishing" is not the technology. Phishing is 100% a human issue and no matter what tech. you might use, those humans vulnerable to being phished will find a way to be phished.
For Google Authenticator, you can do an export for device migration. Once it shows the QR code image, snap it and then abort the migration. Back up the QR code for later restoration.
> There was and is absolutely nothing wrong, and quite a lot right, by having the 2FA program completely separate from your password vault.
Did you read the article? That's what they say.
> For maximum security, you can store your 2FA token elsewhere ... but for general purpose use, storing your 2FA in your password manager is an acceptable solution due to the convenience benefits it provides.
No, that's not what they say. If you read the text that you just now quoted, you will see that it says "storing your 2FA in your password manager is an acceptable solution due to the convenience benefits it provides". Clearly the writer of that text believes there _is_ something wrong with having 2FA completely separate from the password vault: it is less convenient, to the extent where they are happy recommending this horrible approach to laypersons.
In addition, if you go and read OP, you will find that they talk about the potential of losing access to your TOTP codes stored in Google Authenticator. So that's another thing that counts as "something wrong" with storing 2FA separately from password vault.
So there's at least 2 things in the article that count as "something wrong". So they definitely didn't say that there's "absolutely nothing wrong".
They say it's less convenient, that doesn't mean they say it's wrong. And yes it is less convenient, why are you saying it's "horrible"? Security is always about compromises, if the less convenient method causes people to come up with workarounds then it would be worse even if in theory it's more secure.
> if the less convenient method causes people to come up with workarounds then it would be worse even if in theory it's more secure
but that's literally what this is... the less convenient method (2FA) caused people to come up with workarounds (saving 2FA secrets in their password vaults)... and I'm saying it's horrible
