True or false: TOTP is just an extension of your password

Yesterday I read something on Twitter from a person seemingly quite knowledgeable on the subject of passwords and security. Their claim was, in essence, the following:

If you're already storing an essentially unbreakable password in a password manager, then adding a one time password (TOTP) adds no real security because it won't be a true second factor, instead it'll effectively just be an extension to your already super-secure password.

Thoughts anyone?

Comments

  • BenBen AWS Team

    Team Member

    Is this in reference to using TOTP to protect your 1Password account, or to protect other accounts? I feel there is still some value in using TOTP on top of a strong password for non-1Password accounts, and wonder what the person you're speaking with would have to say about replay attacks? As for 1Password accounts... Personally I don't use TOTP / 2FA unless required to do so. It is a different security model than what you find with most websites, and as such the value there is different.

    Ben

  • It's in reference to other accounts.

    His argument is that if your password is compromised, it'll be because your password manager vault has been compromised in which case your TOTP secret is very likely compromised as well.

    How do replay attacks come into play (no pun intended)?

  • it'll be because your password manager vault has been compromised in which case your TOTP secret is very likely compromised as well.

    If it's a desktop/laptop containing your passwords that got infected, your TOTP secret might still be safe if you only stored that (in a specific App) on your mobile phone.

  • BenBen AWS Team

    Team Member

    His argument is that if your password is compromised, it'll be because your password manager vault has been compromised in which case your TOTP secret is very likely compromised as well.

    That is not the only way in which passwords become compromised. :)

    How do replay attacks come into play (no pun intended)?

    A replay attack is where an attacker is able to capture what you are entering into a login form, and then they try entering those exact same details at a later time. TOTP helps prevent this as the information that needs to be entered into the login form changes every 30 seconds.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file