MFA and your Password Manager

I’m honestly kind of surprised I’m writing this. But maybe storing MFA seeds in your password manager isn’t as bad as I thought.

I was an early adopter of wide-spread MFA usage, and a pretty early adopter of using a password manager (at least compared to the average person). I had something like 40 accounts in my Google Authenticator by like 2012, and I used Keepass starting in 2010. Over time I switched to LastPass, because it integrated nicely with my phone and multiple devices, whereas Keepass didn’t have very good ways to do this at the time. Then Tavis happened to LastPass, and I lost all confidence in LastPass. Not because of the vulnerabilities that were found Maybe a little bit because of the vulnerabilities that were found, they were pretty bad and definitely did not inspire confidence. , but because of how LastPass generally handled each of the vulnerabilities that were reported. I switched to BitWarden for a while, and then switched to 1Password after I started using it for work. If you have a 1Password business account, all of your employees can get a free family account while they are employed. It's valid for up to 4 people in the family, and it's not tightly coupled to your employment, so if you leave you can just start paying, or migrate off. I really like this as an employee perk, and more people should take advantage of it.

Is it really MFA if it’s stored with your password?

But for as long as I’ve used a password manager, up until maybe the last 6 months or so, I’ve always scoffed at the idea of storing my TOTP tokens in my password manager, and even actively recommended against it. I mean, it’s called multi factor authentication. Putting everything in the password manager means that possession of the password manager results in access to all accounts. At least if you store your TOTP tokens in a separate app like Google Authenticator Now that they've created a capability to sync seeds, anyways. Before that capability, I wouldn't recommend Google Authenticator because the risks of "My phone bricked" or "I traded my phone in" far outweighed the benefits of having MFA tokens securely stored in your phone. or Authy, if someone gets access to your password manager, the MFA tokens are safe and so hopefully they can’t get into your sensitive accounts.

Recently I started storing some TOTP seeds in 1Password, mostly out of convenience. I use it for generally lower sensitivity accounts, but where MFA is an option that I still want to take advantage of. If my options are “just use a password” or “use a password and MFA in my password manager”, I would always choose the latter. Of course, I also use generated random passwords that are unique per account, so I’m not particularly prone to password spraying attacks, but having the MFA option still gives me a bit of relief. The most important threat model of both password managers and MFA is to protect against password stuffing/reuse attacks.

Remember this device?

One thing I realized this morning, though, is how storing MFA tokens in 1Password has changed some of my behaviors on some websites. In particular, how it has changed my behaviors when a website offers a “remember this device” capability. Previously, I would always check the “remember this device” box to avoid having to reach for my phone on every login. But with the MFA token in 1Password, and 1Password’s autofill capabilities, it will auto-submit forms without checking that box for me. At first I was a little annoyed, I still wanted to check the box.

But then I thought about it a little more and I’m actually totally okay with this behavior, and consider it an advantage. “Remember this device” typically works by assigning your browser a cookie that uniquely identifies it. So long as that cookie is stored, you won’t get prompted for MFA. In some cases, this may also do things like require MFA if you have the cookie but come from a different IP address, but this has become considerably less popular since mobile phones burst onto the scene as a primary compute method. These device ID cookies tend to be very persistent, with expirations set months, years, or even decades into the future. If I’m in a situation where my cookies could be leaked or stolen, MFA wouldn’t help me anymore, because possession of the device ID would bypass that requirement. Additionally, these device ID cookies aren’t typically considered authentication, and may be shared for tracking purposes, so they might not be HttpOnly, and any JavaScript on the page might access them and send them off wherever.

I don’t know that the threat model of “someone could steal my device ID but not access my password manager” or “someone could steal my device ID, have my password, but not just steal a session cookie” is particularly common or important. But it is something I hadn’t really thought about before today and I wanted to capture my thoughts on it.

Advice

If you’re here for advice, my advice to you is this:

Use a password manager. Use strong random passwords for each account. Use MFA. It’s okay if you use MFA that is stored in your password manager. Store MFA for extra sensitive accounts (like email, the password manager itself, etc) in a separate app that has an encrypted backup solution.