Blog

This post originally appeared on blog.securityevaluators.com

Two-Factor Authentication (2FA, also known as Multi-Factor Authentication, or MFA) is all the rage these days, and for good reason. Accounts secured by 2FA are much, much harder to compromise than accounts using only a single factor — so much more so that you can — sometimes — get away with an easier to type and remember (and therefore weaker) password when using it. The most common ways of implementing the second factor are SMS and TOTP (Time-Based One Time Password). When SMS is used, the site sends you a short numerical code via SMS after you enter your password, and you type the code into the site to finish proving your identity. SMS is inconvenient (you have to have your phone on you), and more importantly, SMS is insecure and not recommended, so many sites are moving to TOTP codes instead, which involves using an app to generate codes yourself instead of the site sending them to you. There are a variety of apps that you can use to generate these codes, and some password managers do it too — but you have to be careful: your choice of app could weaken the security benefits provided by TOTP.

First, How Does TOTP Work?

TOTP works by having the user scan a QR code with an authenticator app like Google Authenticator when they sign up; the QR code contains the site’s name and location, and a secret key that will be used to generate codes. When the user goes to log-in to the site, the site will ask them for a code, which the authenticator app will generate using the secret key and the time (usually rounded to the nearest minute or half-minute). The server will also generate a code using the same time and key, and if the codes match then it will allow the user to log-in.

The Trap

For many users, this is still too inconvenient — they still need to have their phone, and now they need to proactively generate a code instead of just waiting for an SMS message, so password managers have started to offer TOTP generation features. The password manager scans the QR code when the user signs up, and then when they go to log in the password manager can input their username, password, and 2FA code all at once. Super convenient! There’s just one issue: the user just turned their secure two factor authentication method into a single factor — their password manager. Any malicious actor who gets access to the user’s password manager now has access to both factors needed to log into their accounts.

Our Recommendation

Do use 2FA everywhere you can, but don’t store 2FA codes in password managers. If you want to have a multi-device synchronized authenticator application, use a separate, dedicated application such as Authy (Note that ISE has not assessed the security of Authy at this time and cannot guarantee that it will not leak or expose data), and use a strong password to protect your account that is not stored in your password manager, or any location or service protected by your password manager.