Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Tip: Password Managers and 2FA SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Tip: Password Managers and 2FA

I guess many of you use a password manager.

I do too. And several credentials stored in my password manager also have 2FA, typically based on an algorithm that has to be seeded with a secret key (like the one used by Google Authenticator).

Whenever I have to create a new account with 2FA, I will store the 2FA key in my password manager along with the password for that account. And if the key is presented as a QR code (it often is), I will save that QR image temporarily to disk and include that file in my password manager.

This way, if I lose my device for 2FA authentication (e.g. smartphone), I can get a new device and start again with a fresh 2FA app install.

If you don't like the idea of storing your password together with your 2FA key: use 2 different password managers, one for your passwords and one for your 2FA keys. And use 2 different master passwords :-)

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

398 Posts
ISC Handler
Some TOTP applications are already able to back up TOTP seeds to their cloud storage. E.g. Authy (keeping TOTP separate) and BitWarden both offer this service for free.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!