Dear reader,
This article kicks off a two-part series, where I challenge the ever-present argument of: ”Don’t put all your eggs in the same basket." Today, I will consider the question if you should avoid storing 2FA together with your passwords. The second part moves the focus to ecosystems, which have traditionally been associated with providers like Apple and Google, but in recent years more privacy-focused providers, such as Proton, have chosen this strategy as well. Let’s begin.
“Don’t put all your eggs in the same basket” is an ever-present argument when people discuss password managers and whether to store TOTP codes together with passwords. While the argument is common, most people don’t really dive much deeper into it. They may say something like: “If your password manager gets breached, then everything there is compromised.” At first glance, the argument seems convincing, and is definitely worth considering. But I have two key problems with this line of thinking, and this article will cover them both.
I argue that this question comes down to your individual threat model, similarly to virtually all security and privacy questions. Therefore, people should stop treating it as a black and white question, with a single correct answer, as if everyone’s threat models were identical. That doesn’t represent the reality.
An example case
Here is a comment I found on Reddit that perfectly demonstrates this kind of argument.
"Password managers should never be storing TOTP codes in the first place. This feature never should’ve made its way into any password manager. Authenticators should always be standalone. My recommendation is to use a dedicated authenticator app on your phone, make sure your codes are backed up properly, and keep them completely separate from your password manager."
The comment is very alarmist, but it also makes the same mistake as almost everyone who strongly advocates the separation of 2FA and passwords. The sentence even contradicts itself.
For true separation
For true 2FA, I and many others would argue that it's not enough to use a separate app; you need an entirely different device, where you don't have your password manager installed. A security key that supports TOTP codes would be ideal for this purpose.
Is this what most people should do? No. But the problem is that people who are the most vocal about this don’t consider what a true separation would actually mean, while overemphasizing the security benefits of storing TOTP codes in a separate app that they still access from the same device as their password manager. The way I see it, the actual security benefits of doing this are quite small when compared to storing everything in a password manager. So small in fact that if you’re a person with good security habits, I would say that the convenience benefits of storing everything in one place far exceed the security benefits of separating these.
Rushing into conclusions
Many people also use the phrase: “if your password manager is breached” too loosely, as if that were inevitable. They usually don’t even specify exactly how this would happen or what this even means exactly, but the phrasing indicates that somebody has gained open access to one’s credentials.
My problem with this phrase is that it assumes a lot and starts from a situation that isn’t even likely to occur. There are also many ways to limit the probability of this, and password managers already deploy some defenses, such as strong end-to-end encryption and KDF.
Getting malware onto your device is probably the most likely way someone would gain access to your password manager, unless you have reused an old, compromised password for your password manager, while not turning 2FA on. In that case, you’re asking for trouble. But with malware, I don’t see how storing your 2FA on a separate app on the same device is going to save you.
Not just about convenience
Many people might think that convenience is the only real benefit of combining 2FA together with your password manager, but the benefits go beyond that. First, using a reputable password manager ensures your data is encrypted well.
This is of course also true with good TOTP apps, such as Ente Auth, but there are still many people who use something like Google Authenticator that doesn’t even use end-to-end encryption. You are also arguably limiting your attack surface by trusting only a single entity.
In addition, storing everything in one place will make backing up your data a lot easier since a single backup of your password manager is enough to cover everything.
But even then, there is nothing wrong if people also want convenience. You should consider whether your threat model allows this level of convenience, but arguing that everything should approach this question similarly doesn’t make much sense, and I can’t get behind that. This kind of argumentation could also make some people use 2FA less or not at all since storing it separately could be too big of a nuisance.
Now, where the proponents of separating passwords and 2FA are correct is that separating these will always be more secure than storing them together, and thus, if your threat model is high enough, you should keep them separate. But just because something is more secure doesn’t mean everyone should do that. For example, most people probably shouldn’t use an offline password manager unless they know exactly what they’re getting themselves into.
Future considerations
In the end, I’m not a big fan of TOTP, email or SMS 2FA, since these don’t offer built-in phishing resistance. They are legacy options that don’t perform well against threats we commonly face today. This is why we should move towards passwordless authentication methods, such as passkeys, instead of spending a lot of time obsessing over where regular people should store their TOTP codes.
There are even practical examples of the importance of moving beyond legacy 2FA options. For example, the security expert Troy Hunt, who is probably best known for his site Have I Been Pwned, was hacked earlier this year because he fell for a phishing attack. Even though he was apparently storing the password together with his TOTP code in his password manager, the attack would have probably worked regardless of the location of the 2FA since the underlying technology of TOTP doesn’t protect against phishing attacks. This specific hack also demonstrated how phishing is still an important attack vector that can affect anyone, even security experts. I would also argue that phishing is a lot more relevant attack for most people to worry about than a password manager compromise.
Still, some people are pushing against new technologies like passkeys, which would be a huge security improvement that people would get against phishing attacks. Instead, some people might prefer continuing to use passwords and TOTP, which for most people would be worse than using a passkey, even if stored separately. If you are not convinced, security keys also allow you to store passkeys, and these would be the highest level of security most people could have for their accounts. With this setup, the attacker would have to gain physical access to your security key, and in addition, know the PIN you have set up. There are also no passwords to leak, so you wouldn’t have to worry so much about data breaches, and how the companies have secured your passwords. Although this last point is also the case for synced passkeys.
All in all, future discussions should move from legacy options to encourage adaptation of phishing-resistant solutions, like passkeys. 🌔