Tip: Password Managers and 2FA

Published: 2019-11-01
Last Updated: 2019-11-01 18:24:05 UTC
by Didier Stevens (Version: 1)
1 comment(s)

I guess many of you use a password manager.

I do too. And several credentials stored in my password manager also have 2FA, typically based on an algorithm that has to be seeded with a secret key (like the one used by Google Authenticator).

Whenever I have to create a new account with 2FA, I will store the 2FA key in my password manager along with the password for that account. And if the key is presented as a QR code (it often is), I will save that QR image temporarily to disk and include that file in my password manager.

This way, if I lose my device for 2FA authentication (e.g. smartphone), I can get a new device and start again with a fresh 2FA app install.

If you don't like the idea of storing your password together with your 2FA key: use 2 different password managers, one for your passwords and one for your 2FA keys. And use 2 different master passwords :-)

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: 2FA manager password
1 comment(s)

Comments

Some TOTP applications are already able to back up TOTP seeds to their cloud storage. E.g. Authy (keeping TOTP separate) and BitWarden both offer this service for free.

Diary Archives