Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What's the point of 2FA if you store it in the same place as the first auth factor?

Or maybe I've misunderstood. Are they behind different master passwords or something?



If an individual account password leaks, the second factor still protects the account.

This primarily only protects against leaked passwords from the site being hacked. Not from vaultwarden being hacked. But if my vaultwarden gets hacked I’m done anyway. They will had to have used multiple factors to get into the vaultwarden anyway.

Quick edit: I’ve also got all the codes in an actual Authenticator app on my phone (so I can get into vaultwarden if I have to) But they are additionally in vaultwarden for convenience. When vaultwarden autofills, it copies the code to my clipboard and I can seamlessly pass the second factor check. Either way, access to the codes needs physical access to a device I’m already on. In practice I’m only ever logged into vaultwarden on my phone and my PC, although I could login remotely if I had to. As an additional safety measure, when my vault is logged into some monitoring software sends me a push notification through an external service.


As far as I understand it:

The password is the "thing you know" and the password manager file is the "thing you have". So if someone compromised your email account knowing your password, they still need to access your password manager file to get access to the 2FA codes.

So it's still a second factor in that sense.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: