undefined | Better HN

0 pointslixtra6y ago0 comments

Having 2FA in 1Password is still strictly stronger than 1FA. The a leaked OTP token stays valid for about 60 seconds. Your leaked password may never change.

0 comments

akerl_6y ago

What is the threat model where an attacker gains access to your 1password vault in a way that gives them only a single OTP code and your password, and not the underlying symmetric TOTP key?

lixtraOP6y ago

- using your password on a compromised desktop

- attacker looking over your shoulder as you enter your password

- Company mitm breaks open ssl encryption and reveals your password.

Obviously, if someone breaks into your 1Password it’s game over.

akerl_6y ago

All of these aren’t related to your 1password vault. They all occur even if you’re using your phone as a totp device.

1 more reply

tialaramex6y ago

Terminology clarification: The seed driving TOTP is a shared secret but NOT a symmetric key.

j / k navigate · click thread line to collapse

0 comments

akerl_6y ago

What is the threat model where an attacker gains access to your 1password vault in a way that gives them only a single OTP code and your password, and not the underlying symmetric TOTP key?

lixtraOP6y ago

- using your password on a compromised desktop

- attacker looking over your shoulder as you enter your password

- Company mitm breaks open ssl encryption and reveals your password.

Obviously, if someone breaks into your 1Password it’s game over.

akerl_6y ago

All of these aren’t related to your 1password vault. They all occur even if you’re using your phone as a totp device.

1 more reply

tialaramex6y ago

Terminology clarification: The seed driving TOTP is a shared secret but NOT a symmetric key.

j / k navigate · click thread line to collapse