On Mon, Jun 24, 2024 at 9:28 AM Michael J Gruber <mjg@xxxxxxxxxxxxxxxxx> wrote: > > Guinevere Larsen venit, vidit, dixit 2024-06-24 13:53:37: > > On 6/24/24 5:08 AM, Miroslav Suchý wrote: > > > Dne 24. 06. 24 v 9:48 dop. Mattia Verga via devel napsal(a): > > >> IMO, having the token stored in your password manager means going > > >> from 2FA to 1FA effectively ;-) if someone gets access to your > > >> password manager vault, all accounts will be compromised. > > > > > > Only if you use the same password manager for both: password and OTP. > > > > > It still makes it 1FA. If all you need to get the OTP is know which > > password managers the user uses, and what is the password for that > > passowrd manager, OTP goes from being a "something you have" type of > > authentication factor, to a "something you know" authentication factor, > > which is the same factor as the password. Multi factor authentication is > > not about steps, is about what you need to complete the authentication > > challenge (something you know, something you have, or something you are). > > Sure, and the "something you have" is access to the OTP device which in > this case is the (token stored in the ) password manager's database. > > The password or passphrase which unlocks the password manager is nothing > which you could provide as a "factor". > > Or else, all cloneable OTP apps would need to be disallowed as 2nd > factors, and only physical tokens should count. Also, why does everyone seem to assume that a password manager isn't ITSELF protected by 2FA? For my lower-concern sites, I am just fine with keeping the TOTP code in the manager because the manager itself is protected by a strong password and a physical FIDO device (Yubikey). Remember that security is a spectrum, not an end-state. Every person and environment makes a choice between how much security and how much convenience is appropriate. If you want perfect security, you can unplug your PC, fill it with concrete and drop it into the Marianas Trench. Otherwise, you make some compromises... -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue