I've been struggling with this for a while, so maybe others can share their thoughts.
Do you keep your email password in a password manager?
If I was to forget my Master Password and would need to delete an account and start over, 1P would verify my identity by sending me an email.... which I cannot access without remembering my Master Password (assume phone with sync lost/stolen, logged-in PC burned down or something... or maybe I don't keep email logged-in on PC either).
Similarly, if I was to forget my Master Password (with no recovery possible), I would then need to contact individual services (facebook, aws, dropbox, etc) to reset my (randomly generated) password. That process would usually go through the email... which I cannot access without remembering my Master Password.
This is like making a copy of your safe key... and then keeping it in the safe... if you lost your main safe key, you are not getting back into the safe, so why even keep a copy there?
Do you keep your TOTP codes in a password manager?
The 2FA TOTP codes are my last line of defense against an attacker. If an attacker was to gain access to my passwords stored in 1P, either through:
In any of the above, the attacker now gains access to my individual service passwords (facebook, amazon, etc). When they try to login, they will be faced with a 2FA challenge. That is the whole point of 2FA. This is my last line of defense. In 3/4 cases, the attacker does not have my phone, therefore cannot access 2FA seeds/codes that are on my phone. In the remaining case, even if phone is stolen and fingerprint is lifted off the case, my 2FA app has a separate pin (oh how I hate that they don't allow fingerprint auth... but obviously this is quite on purpose to combat situations like this).
[Considering only single-point-of-failure scenarios here. If someone attacks my vault personally (a wide attack on 1P servers to gain encrypted vaults is pointless without a from-the-future quantum computer, and unlikely) and attacks the 2FA app's servers in a coordinated attack and also breaks their encryption, then they probably need those passwords more than I do (or it's so above my paygrade i'd rather give them passwords and keep my life).]
By keeping my 2FA separate from 1P, it serves it's purpose and the attacker still cannot gain access to my individual services despite having the passwords. The next step for the attacker would be to suspend 2FA, or disable 2FA, or request alternative 2FA. In most cases, this again would be performed through the email.
However if I stored my 2FA in 1P, that already defeats the purpose. Similarly, if I stored my email password in 1P, the attacker would be able to disable 2FA through email links.
So it seem problematic to store email password in a password manager. It's also outright wrong to be storing 2FA in a password manager. At the very least, if one was to store 2FA in a password manager, it should be a different password manager than the one containing the passwords.
Thoughts please? I am sure I am not alone who is struggling with this
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided