Proton Pass is an open source, end-to-end encrypted password manager app. Create and store passwords, email aliases, 2FA codes, and notes on all your devices
Not fully accurate. The 2FA still prevents issues such as credential stuffing or bruteforcing, which might not depend on you. Of course, these risks are very limited if you use random unique passwords (as it makes sence since you are using a password manager).
Also 2FA is anyway there for the password manager, and if you have a session on, chances are the same applies for the target app (for example, your email). So it’s not completely useless.
This said, I agree with the general principle. I personally use yubikeys where I can, including to store the TOTP codes (I never liked the phone to be 2FA device that much…)
Yeah, that’s what I said one line after. However there are also other corner cases (very unlikely) such as shoulder diving or a video recording, or people simply not using random unique passwords (for example because they chose the password before and they don’t want to rotate it). In general I agree with the principle that is not 2FA if it’s all in one place, but it’s also quite a corner case that the password manager is pwned alone (i.e., and not the target services), and in any case it’s not like not having 2FA at all.
As per the video they released https://youtu.be/M8doASpFbuk it allows you to immediately enter the 2FA account… oh man. as @noodlejetski said, this very much negates the whole point of 2FA.
I really like protonmail and have been a paying user for years now. But nothing beyond calendar and mail has really made a lot of sense to me so far. I’ll stick to my Keepass container, syncing that across my devices. It’s easy to manage and I don’t need to trust anyone else with that data ever in no way, shape or form.
I think 2fa-in-your-password-manager is slightly better than not using it, since it requires that the attacker have access to your password vault, so it still protects against cases where just your password leaked somehow, but yeah, definitely not as good as full 2fa.
But to add to that as well: If the site has stored your password insecurely, they will probably have lost your 2FA secret too. Which even has to be stored in ‘plain text’ in contrast to your password.
What does 2FA authenticator mean? Is it a vault to store your 2FA seeds?
deleted by creator
Not fully accurate. The 2FA still prevents issues such as credential stuffing or bruteforcing, which might not depend on you. Of course, these risks are very limited if you use random unique passwords (as it makes sence since you are using a password manager).
Also 2FA is anyway there for the password manager, and if you have a session on, chances are the same applies for the target app (for example, your email). So it’s not completely useless.
This said, I agree with the general principle. I personally use yubikeys where I can, including to store the TOTP codes (I never liked the phone to be 2FA device that much…)
deleted by creator
Yeah, that’s what I said one line after. However there are also other corner cases (very unlikely) such as shoulder diving or a video recording, or people simply not using random unique passwords (for example because they chose the password before and they don’t want to rotate it). In general I agree with the principle that is not 2FA if it’s all in one place, but it’s also quite a corner case that the password manager is pwned alone (i.e., and not the target services), and in any case it’s not like not having 2FA at all.
As per the video they released https://youtu.be/M8doASpFbuk it allows you to immediately enter the 2FA account… oh man. as @noodlejetski said, this very much negates the whole point of 2FA.
I really like protonmail and have been a paying user for years now. But nothing beyond calendar and mail has really made a lot of sense to me so far. I’ll stick to my Keepass container, syncing that across my devices. It’s easy to manage and I don’t need to trust anyone else with that data ever in no way, shape or form.
yeah, although using a password manager as a 2FA provider sort of negates the “2F” part.
Depends. I use 1Password and let it store all my 2FA, because my 1Password login is secured with another 2FA.
deleted by creator
I think 2fa-in-your-password-manager is slightly better than not using it, since it requires that the attacker have access to your password vault, so it still protects against cases where just your password leaked somehow, but yeah, definitely not as good as full 2fa.
I disagree. 2FA also protects against a breach/leak of the site. If your password is leaked or stored insecurely, then the 2FA still helps.
But to add to that as well: If the site has stored your password insecurely, they will probably have lost your 2FA secret too. Which even has to be stored in ‘plain text’ in contrast to your password.
Yo dawg
Now imagine I would use a third 2FA app to store the second 2FA.