I store my mechanically generated passwords in 1Password. And I do not use the password in any way.

In such a case, does it make sense to activate TOTP? In my immature opinion, TOTP is only effective if you are using the same password for multiple websites. If this is incorrect, could you please tell me when TOTP would be useful?

  • @JASN_DE
    link
    719 days ago

    And I do not use the password in any way

    Sorry, what?

  • 56!
    link
    fedilink
    419 days ago

    There are 2 benefits of using TOTP here:

    If an attacker gains access to your password, maybe through a keylogger or browser extension, the TOTP code will expire after a minute, and the attacker won’t be able to log in later.

    Using 2-factor authentication (in general) allows you to keep your login information on 2 separate devices, such as using your computer to store passwords, and your phone to generate TOTP codes. Most people (me included) will probably use 1 device for both though.

  • @JustAnotherKay
    link
    219 days ago

    TOTP is only effective if you are using the same password for multiple websites.

    Whether it’s the same password you use for everything, or a different password for each individual service, a time based one time password will increase security by requiring a potential hacker to have access to your device or some well-kept secrets in addition to your password. Lacking TOTP, you reduce the amount of hurdles required to get into your account.

  • @[email protected]
    link
    fedilink
    English
    219 days ago

    TOTP is used to increase security by requiring potential attackers to both know your password, and have your token generating device. Usually your phone. It is useful even if you have unique passwords because the attacker needs access to both your password management solution and to your token generating device to gain access. In my opinion, it’s worth setting up TOTP on all accounts that you care about.

  • @[email protected]
    link
    fedilink
    English
    119 days ago

    In general TOTP is recommended when offered. Aside from what other people are bringing up about added security when using password authentication, many sites use TOTP in the account recovery process when a password is forgotten. This is an old example, but in this case, attackers were able to do a forgot password for Gmail which sent a recovery email to an Apple email address, which the attackers were able to access. Had Mat been using MFA for Gmail, the attackers would have been prompted to provide an MFA code before the recovery email would be sent, thwarting the attack.