For years, I’ve seen questions from inside and outside of the 1Password community about the safety and security of storing certain secrets (like passwords) alongside other secrets (like TOTP). There’s a lot of misinformation out there. A coworker of mine, who is smarter than I am, writes about and clarifies the topic here: https://blog.1password.com/totp-for-1password-users/
@Paxxi Yep, there’s a right thing for everybody and as with most things, the answer comes down to threat modeling. But for most people, it’s fine for the balance to shift slightly towards convenience.
@zak I don't understand why companies such as 1password keep on trying to justify having all of your credentials in one place. Is it convenient, yes... so is not having 2fa at all. is it less secure having to trust a third party with everything, also yes. I admire the work you do, not so much the talking especially when referring to an absolutely sane decision to be based on misinformation.
@mckean I’m not sure if this post is against storing TOTP in 1Password or if it’s against the existence of 1Password overall. If it’s the former, I’m up to chat about it. Did you go over the blog post here? Something in particular that you disagree with?
@zak I'm not against 1password. I'm against labelling people as misinformed if they choose (for valid reasons) not to entrust a third party with all of their credentials.
@zak I'm referring to your post. While I do agree that saying it's not safe isn't accurate saying that it is, is equally inaccurate. the blog post does mention tradeoffs, and unlikely scenarios. The fact that a good security posture checks off aspects of "separation of duties" is just blindly ignored, understandable from the pov of a company trying to sell their product... that's what I'm pointing out.
@mckean Well to be clear, this post applies to any password management solution that has TOTP functionality, not just 1Password. So I wouldn’t call this much of a sales pitch.
Anyway, as referenced in the blog post, there will always be those that simply prefer to separate these things in order to cover the unlikely scenarios in which a separate TOTP app would provide extra protection. It’s not wrong to have that preference. It’s just likely not the right choice for post people.
@zak it's not a very unlikely scenario for a company to mess up, this has happened numerous times in the past. It is unlikely for multiple services to mess up at the same time. I'm talking about trust and this should never be given blindly. 1password being an expert in that field should have some humility and highlight this by recommending separation of duties to be a very good practice - not an unlikely scenario blah blah
@mckean To be clear here, are you now referring to a compromise of 1Password as a service? That’s been addressed plenty of times separately. That is not a reason to avoid using 1Password for TOTP storage.
The blog post also mentions something similar to what you’re referring to as “separation of duties,” with minimizing personal attack surface being an equal but opposite viewpoint. Everyone has their own opinion and that’s fine.
@zak convenience vs. security. I don't think we have to talk about 1password promising about what their processes look like should make me trust them? Am I to audit every update? god no. also I have nothing against 1password, I have nothing against people storing TOTP alongside their passwords. I am annoyed about these services downplaying the valid opinion of separating credentials. We all agree that separation is the more secure way. It's not a preference it's a fact. convenience vs. security
@mckean Well, I agree with this to an extent. But I also think that threat modeling is crucial. Just because something is “more secure” in theory (or, in this case, can protect you from a specific attack scenario) doesn’t mean that most people should be doing it.
If your goal is absolute raw security, you should not be using the internet. Everything beyond that point is a set of compromises, and everyone has different levels of tolerance to those compromises. 1Password does indeed provide a balance between security and convenience, as does every other digital product that you use.
The point still stands that if what you’re after is a true second factor, you should not be storing TOTP in 1Password. Nor should you be storing them in a separate application on the same device on which you store your passwords. You’d need a dedicated second hardware device to gain that second factor. Is that a valid option? Yes, absolutely. But again, is that the best solution for most people? Probably not.
@zak again the downplay in combination with the exaggeration, now I shouldn't be using the internet great, is that the stance? also, it is in fact more secure to have TOTP on a separate application. The fact that 1password is one update away of being able to collect my primary credentials and gaining access to everything I stored with them is a serious threat in my model. you are biased that is ok. my security posture is not as amazing as I make it seem, that is also ok. I just wish companies...
@mckean Again, I think this is starting to get more into justifying the existence of 1Password itself. Which isn’t really something that I’m willing to argue about here. Sorry.
@zak wow, I don't think I ever said that. Just because I'm questioning how a feature is being pushed by 1Password without properly highlighting the risks and allowing or even recommending other ways? I mean yeah, we can end the conversation...
Add comment