True or false: TOTP is just an extension of your password

MerryBit
MerryBit
Community Member

Yesterday I read something on Twitter from a person seemingly quite knowledgeable on the subject of passwords and security. Their claim was, in essence, the following:

If you're already storing an essentially unbreakable password in a password manager, then adding a one time password (TOTP) adds no real security because it won't be a true second factor, instead it'll effectively just be an extension to your already super-secure password.

Thoughts anyone?

Comments

  • Is this in reference to using TOTP to protect your 1Password account, or to protect other accounts? I feel there is still some value in using TOTP on top of a strong password for non-1Password accounts, and wonder what the person you're speaking with would have to say about replay attacks? As for 1Password accounts... Personally I don't use TOTP / 2FA unless required to do so. It is a different security model than what you find with most websites, and as such the value there is different.

    Ben

  • MerryBit
    MerryBit
    Community Member

    It's in reference to other accounts.

    His argument is that if your password is compromised, it'll be because your password manager vault has been compromised in which case your TOTP secret is very likely compromised as well.

    How do replay attacks come into play (no pun intended)?

  • XIII
    XIII
    Community Member

    it'll be because your password manager vault has been compromised in which case your TOTP secret is very likely compromised as well.

    If it's a desktop/laptop containing your passwords that got infected, your TOTP secret might still be safe if you only stored that (in a specific App) on your mobile phone.

  • His argument is that if your password is compromised, it'll be because your password manager vault has been compromised in which case your TOTP secret is very likely compromised as well.

    That is not the only way in which passwords become compromised. :)

    How do replay attacks come into play (no pun intended)?

    A replay attack is where an attacker is able to capture what you are entering into a login form, and then they try entering those exact same details at a later time. TOTP helps prevent this as the information that needs to be entered into the login form changes every 30 seconds.

    Ben

This discussion has been closed.