Best practice for OTP
Hi,
when using OTPs a general rule says to not store password and OTP token at the same location which makes very sense for this approach.
With 1password however I'm simply storing everything (including recovery tokens) in one login record of 1password. How do other people use this? I was lately thinking about a second vault to only store OTP information, so that they are at least separated by a different master password but I don't know how practical this is..
Any thoughts?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
when using OTPs a general rule says to not store password and OTP token at the same location which makes very sense for this approach. With 1password however I'm simply storing everything (including recovery tokens) in one login record of 1password. How do other people use this? I was lately thinking about a second vault to only store OTP information, so that they are at least separated by a different master password but I don't know how practical this is.. Any thoughts?
@ohcibi: That's an excellent point, and surprisingly not something that comes up often. I think the important thing to keep in mind is that if you weren't using 1Password to store your TOTP secrets, they'd be somewhere probably considerably less secure (or something truly awful, like SMS). So while they wouldn't be in the same place...well, I'm not sure there's much of a security benefit there.
I think that using another vault isn't such a bad idea...except that I'm not sure of the benefit. Even if the vault uses a different Master Password, 1Password will still be unlocking with the Primary. And it's another thing to remember each time you setup a new device. Using a solid Master Password to encrypt all of my data -- including my TOTP secrets -- is enough for me, but of course it's up to you how you protect yours. Cheers! :)
0
