Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Tip: Password Managers and 2FA

Published: 2019-11-01
Last Updated: 2019-11-01 18:24:05 UTC
by Didier Stevens (Version: 1)
2 comment(s)

I guess many of you use a password manager.

I do too. And several credentials stored in my password manager also have 2FA, typically based on an algorithm that has to be seeded with a secret key (like the one used by Google Authenticator).

Whenever I have to create a new account with 2FA, I will store the 2FA key in my password manager along with the password for that account. And if the key is presented as a QR code (it often is), I will save that QR image temporarily to disk and include that file in my password manager.

This way, if I lose my device for 2FA authentication (e.g. smartphone), I can get a new device and start again with a fresh 2FA app install.

If you don't like the idea of storing your password together with your 2FA key: use 2 different password managers, one for your passwords and one for your 2FA keys. And use 2 different master passwords :-)

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: 2FA manager password
2 comment(s)
ISC Stormcast For Friday, November 1st 2019 https://isc.sans.edu/podcastdetail.html?id=6734
Diary Archives