Hacker News new | past | comments | ask | show | jobs | submit | sayright's comments login

Storing password and TOTP seed in a single storage goes against the concept of 2FA.


You should store your TOTP keys in a different KDBX file, locked with a different master password, and maybe even used on a different device/PC.

We all know that you shouldn't store your password along with TOTP secrets, or should I make a blog post explaining this?


Well instead general password without password manager assumes the fact someone remembers that password. (and perhaps reusing that password.) Using password manager (with different password for each service) plus TOTP would serve its purpose. You still have to enter the code, so it still require you to "have" that code somehow which makes it no different than provisioning multiple devices which many 2FA systems won't prevent, perhaps other than hardware TOTP devices.


HN article above this one: "Going faster doesn’t make you happier.." :)


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: