this post was submitted on 23 Sep 2023
836 points (98.6% liked)
Programmer Humor
32495 readers
947 users here now
Post funny things about programming here! (Or just rant about your favourite programming language.)
Rules:
- Posts must be relevant to programming, programmers, or computer science.
- No NSFW content.
- Jokes must be in good taste. No hate speech, bigotry, etc.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Although it's true that you are increasing the attack surface when compared to locally stored OTP keys, in the context of OTPs, it doesn't matter. It still is doing it's job as the second factor of authentication. The password is something you know, and the OTP is something you have (your phone/SIM card).
I would argue it is much worse what 1Password and Bitwarden (and maybe others?) allows the users to do. Which is to have the both the password and the OTP generator inside the same vault. For all intents and purposes this becomes a single factor as both are now something you know (the password to your vault).
That’s not quite right though, there’s the factor you know (password to your vault), and the factor you have (a copy of the encrypted vault).
Admittedly, I don’t use that feature either, but, it’s not as bad as it seems at first glance.
That would be true for offline vaults, but for services hosted on internet I don't think so. Assuming the victim does not use 2FA on their Bitwarden account, all an attacker needs is the victim's credentials (email and password). Once you present the factor you know, the vault is automatically downloaded from their services.
This is something I hadn't thought until know, but I guess password managers might(?) change the factor type from something you know (the password in your head) to something you have (the vault). At which point, if you have 2FA enabled on other services, you are authenticating with 2 things you have, the vault and your phone.
It works for self hosted vaultwarden mostly also. Since you would need a way to acess the login page itself, which could be behind a VPN or other authentication service like Authentik.