Doesn't using this break 2FA?

tadfisher / pass-otp

A pass extension for managing one-time-password (OTP) tokens

GNU General Public License v3.0

1.28k stars 85 forks source link

Doesn't using this break 2FA? #107

Closed kousu closed 3 years ago

kousu commented 5 years ago

I like the elegance of this extension, but it's been bothering me more and more lately that this breaks the 2FA assumption most sites use TOTP for. While your password store is unlocked, any malware can steal your password AND TOTP code at the same time.

A safer way would at least require a separate GPG key and put the OTP codes under separate pass files, or maybe an entirely separate pass store. But that breaks the workflow that pass-otp was designed for.

Right now pass-otp is helping me appear more secure to the Big Five than I actually am.

pta2002 commented 5 years ago

This would still require an atacker to have access to the pass store, and not just the password, so while not safer than a separate OTP key, it's safer than not having anything.

FSMaxB commented 5 years ago

It also depends on why you are using 2FA. If you're just using it to minimise the risk of logging into you accounts on public computers, it's totally valid to store the TOTP secrets on your own pc and e.g. your phone for mobile use.

kousu commented 5 years ago

Okay, I like the public-computer justification. Thanks. I think I can sleep a better :)

kousu commented 4 years ago

gopass thinks: https://github.com/gopasspw/gopass/blob/master/docs/features.md#adding-otp-secrets

Note: Depending on your security needs, it may not behoove you to store your OTP secrets alongside your passwords! Look into Multiple Stores if you need things to be separate!

OJFord commented 4 years ago

If you use an OpenPGP smart card (such as a YubiKey) then I suppose it effectively turns TOTP-supporting sites into FIDO U2F-supporting (not that actual standard obviously, but in effect) sites.

You 'have':

pass dir
OpenPGP key

You 'know':

OpenPGP key passphrase (or it's already been unlocked this session and gpg-agent knows it)

(Just working this through for myself really - my initial reaction was the same, OP.)

tadfisher commented 3 years ago

This project essentially allows you to convert the OTP factor into another secondary factor, or remove it as you wish. I personally use a Yubikey to decrypt passwords, so OTP-based 2FA is redundant for me.

kousu commented 2 years ago

Turns out, Browserpass agrees with me!

That said, security is about tradeoffs. For most accounts, I'm far more fearful of getting locked out because I've broken my phone and lost my 2fa codes than I am worried about someone breaking into pass. And having OTP on still protects me from someone who has stolen my site password in a data breach or through my negligence, but hasn't got my master password or pass itself.

I find myself being extremely grateful for pass-otp everytime I'm prompted with an annoying page nagging me for a code.