Ask HN: Do you use your password manager to generate MFA codes?

2 pointssatyenr6y ago2 comments

Certain password managers like 1Password offer the ability to generate MFA tokens within the same app. While that is certainly convenient, doesn’t it defeat the purpose of MFA altogether?

I have found some posts[1][2] indicating that it may not be as risky as I think, BUT I wonder if there is more to the story. Thoughts?

[1] https://blog.1password.com/totp-for-1password-users/

[2] https://security.stackexchange.com/questions/194142/is-it-safe-to-store-2fa-tokens-together-with-passwords-in-1password

PS. Let’s stick to software tokens for the purpose of this discussion and not debate physical vs software token generators.

2 comments

bradknowles6y ago

I use 1Password for personal things, but in trying to set up a shared solution with my wife, I have found that they are not as well suited for group use. They’re getting better, but they’re still not there.

My employer uses LastPass Enterprise, and I’ve helped manage that part of the system for years. In my experience, LastPass is more clunky for things done outside the browser, but they have better browser integration than 1Password. LastPass is also much better suited in an Enterprise environment.

Many people at work use various tools for creating MFA tokens, including Authy, the Google Authenticator app, the Microsoft Authenticator app, etc.... but I primarily use the LastPass Authenticator app.

I have not made any attempt to use 1Password for personal MFA purposes. I am not at all convinced it is well suited to that role, either.

satyenrOP6y ago

Doesn’t LastPass Authenticator suffer from the same problem? If I understand correctly, they store the MFA secret in the same account — meaning if your LastPass vault is breached somehow, so is your MFA.

j / k navigate · click thread line to collapse