For no real reason, I currently use different 2fa methods across my online accounts:
- sms verification
- email verification
- duo mobile
- microsoft authenticator
- google push verification
As part of a cleanup exercise with my online accounts, I've been looking at signing up for either 1Password or Proton Pass to manage my passwords. It turns out that both options also have an authenticator app. This could just be marketing, but both 1Password and Proton Pass seem more secure than the others. Or at the very least, they're not tied to big tech like Duo (owned by cisco), Microsoft, and Google are. I already know SMS is the weakest one here, with sim swap scams and all that. Email's not great either.
My concern is: Would migrating all my authentications to 1Pass/Proton create a risky concentration? If there is a leak, would I be screwed by having both my passwords AND my 2fa for those passwords in the same place?
And as an aside, what do you guys think about 1Pass and Proton themselves? For me it's a toss-up, mostly will depend on UI/UX unless there's some consequential thing that I missed.
Hello u/spacemicrowave, please make sure you read the sub rules if you haven't already. (This is an automatic reminder left on all new posts.)
Check out the r/privacy FAQ
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
To me it makes perfect sense to keep your passwords and TOTP codes in seperate systems.
Personally I use Bitwarden as my password manager and Ente for my TOTP. I also have hardware keys for certain accounts. Like my Apple account, it's locked down with them so my email is safe.
I can't say anything about 1Pass as i've never used it. I did however try Proton Pass a while ago and it was good. Similar to most password managers.
I'd get rid of as many sms and email verifications you can and move them to TOTP if possible.
Yes, it's risky bundling passes and TOTP secrets together. Password managers are juicy targets and do get hacked from people doing sloppy opsec, running them on compromised machines, etc
As a general rule I keep TOTP secrets separate on different devices, which means if my pass manager is hacked, they need to hack my TOTP app too, which is unlikely to happen, but still a possibility.
One thing I do, on top of this is: use codenames for password manager entries. For example:
Rstands forRedditand you have the Reddit username memorized. The pass is in the clear, but the associated meaning of that pass will be lost to an attacker.