Is this some sort of a convenience feature hidden behind a paywall to justify purchasing their subscriptions or does generating the codes actually cost money? If the latter is the case, how do applications like Aegis do it free of cost?

  • darcy
    link
    fedilink
    arrow-up
    33
    ·
    1 year ago

    its best to keep passwords and totp separate

    • 7heo@lemmy.ml
      link
      fedilink
      arrow-up
      4
      ·
      edit-2
      1 year ago

      Naaah, in “Multiple factor Authentication”, the word “factor” is just to look cool… The original MfA meant “Multiple fields Authentication”. (I’ll see myself out)

      • darcy
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        i dont think i know what youre talking about?.. but factor refers to one of three types: something you know (passwords), have (totp or yubikey), or are (biometrics). having 2 passwords is almost the same as having one password, since they are the same factor. thats why having totp linked to your password manager is basically like having 2 passwords. it almost defeats the point

        • 7heo@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          I made a joke, basically saying that if you use a single device, it’s “Multiple fields authentication” as opposed to “multiple factors authentication”.

    • nehal3m
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      edit-2
      1 year ago

      Not sure I agree.

      Yes, your password manager is a single point of failure this way. But I would argue any non-SMS based TOTP is better than none, so if a higher percentage of people use it the easy way instead of not at all I consider that a win.

      After all, you would still not only need the password but also access to the manager which technically is more than one factor.

    • Amju Wolf@pawb.social
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      1 year ago

      Nowadays many services just force MFA on you in some way, and stuff like SMS or email verification is shitty, insecure and inconvenient. TOTP is then the next best thing, and having it integrated with a password manager is fine as long as you are aware of the risks.

      • darcy
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        mfa is good tho. i think its almost good its forced on normies. sms/email 2fa is garbage however, and google authenticator is very bad for privacy. for most people (assuming you have a phone), is it really that much to have a separate password-locked 2fa totp app? they exist for both phone and desktop, and can be synced (although personally i cant see that being a good idea). totp is basically a hidden password hashed with the current time, so if the hidden password is leaked it can be replicated at any time. if your main computer gets compromised or keylogged, then accessing one 6-digit code is worthless unless used in the next 30s, unlike the totp secrets

        • Amju Wolf@pawb.social
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 year ago

          I think its almost good its forced on normies

          Sure, but ideally there should be an option to opt out for most things. Sometimes you get forced into it for the dumbest stuff.

          And, like, don’t forget that everyone’s use case is different. For most people, Google account is really important. But I might use it as a burner account and not care about its security almost at all. Then MFA is only annoying.

          is it really that much to have a separate password-locked 2fa totp app

          I use PC for most of what I do (both work and leisure). There’s a major difference between having TOTP autofilled and having to find my phone, pick it up, unlock it, find the authenticator app, click/find the correct authenticator, then typing in the code.

          Again, depends on the account, but for the vast majority of my accounts it’s complete overkill.

          Doesn’t help that many providers don’t properly remember devices/logins. If I had to sign into a given account once a year I wouldn’t care much. But when it’s monthly or more (for many, many accounts), and half of them don’t even remember the device and ask for OTP every time, it truly is a pain.

          if your main computer gets compromised or keylogged, then accessing one 6-digit code is worthless unless used in the next 30s, unlike the totp secrets

          Realistically if my main computer gets compromised I’m royally fucked either way. I try to be safe in general, know what I’m doing for the most part (definitely more than your average user, though that’s probably true about literally everyone on Lemmy) and in like 20 years since I had access to a computer I never had an issue, so I’m probably doing something right (and I used to do way, way dumber stuff on much less secure systems than one has today).

          But yeah, you’re right I probably shouldn’t have OTP in my password manager at least for my primary email. I’m sure I’ll get to fix that someday…

          • darcy
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            i agree with your point about different use cases.