Why do password managers have TOTP?

Short answer: Password managers offer this funcionality because there is a demand for it.

Long answer: In practice, TOTP schemes are used (from a webadmin point of view) just to stop credential stuffing attacks [1].

There is very little additional security in generating TOTPs on a dedicated device, such as a smartphone, compared to generating them on the password manager itself. Threat models in which a separate setup would have a benefit include only breaches of your password database itself.

For savvy users with unique passwords, protecting against that threat model offers little benefit at a significant convenience penalty, as such attacks are unlikely to begin with. If MFA with hardware tokens is not an option, then it might not be worth the hassle of TOTPs.

As such, password managers that offer TOTP are useful in scenarios where using TOTP is mandatory and does not provide security benefits.

[1] https://en.m.wikipedia.org/wiki/Credential_stuffing

The assumption is that your password manager is only accessible on physical devices that you have authorized. The stored data is encrypted and will only decrypt upon being authenticated by whatever means you have setup (i.e. password, fingerprint, face id, etc.). The only way for a potential attacker to utilize an OTP generated by your password manager would be to somehow gain control of the physical devices where the password manager is installed and authenticate themselves as you.

As I understand, preventing such a scenario is not the purpose of MFA. Rather, it is to prevent the scenario where an attacker either attempts to brute-force guess your password to a particular application (or figures it out in some other way) and now is blocked by the inability to get passed the "enter the OTP code from your authenticator app" question.

---

The scenario that you ask about is a valid concern. It is just not the same concern as what is solved by OTP/MFA.

One area where the notion of separation of keys makes more sense is cryptocurrency, where if you have any serious investment in it, it is advised to set up a multi-key scheme. In such a case, even if somebody were to be forcefully required to allow a physical attacker to gain access to their password manager, there would still not be enough information there for the attacker to steal anything.

The team from 1password did a nice writeup, when they introduced storing TOTP in their password manager.

Gist is: Most people treat TOTP as a second, time based password (multi step authentication) instead of a second factor. If you truly want 2nd factor, you should never sync your passwords to the phone you are using as 2FA, and never use your passwords on the phone you are using as 2FA.

So it depends on your own security concerns if you want to treat TOTP as a true second factor or as a secondary, time based password only.

https://blog.1password.com/totp-for-1password-users/

The whole thing you know. / thing you have is very outdated thinking. It made sense as a way to explain it 20+ years ago when 2fa was primarily done with physical RSA fobs, but it makes no sense in the modern world of TOTP, password managers, etc.

For one thing, TOTP any it’s nature isn’t tied to a thing I have. Heck - you could build a TOTP token web service accessible from anywhere, it’s just an algorithm.

Secondly, if you’re using a password manager, you likely don’t know the password, so that part doesn’t fit either.

And if you insist on still fitting that square peg into todays round hole: The thing I know is my password managers’ decryption key, and the thing I have is my laptop / iPhone.

As a Brit of a certain age, I hate the term TOTP in this context, as it will always mean to me 'Top of The Pops'[1] ;)

---

[1] https://en.wikipedia.org/wiki/Top_of_the_Pops

95% of the security of TOTP stuff is that users have no freedom in implementing it and thus cant mess it up. There is no equivalent of having "hunter2" as your password when the user doesn't choose the secret. They cant reuse secrets across sites if they dont choose secrets.

Every other realistic threat is not helped by TOTP. There is some threats that in theory TOTP can help with, but dont given how it is used on the web.

* phishing - just as easy to phish the token

* trojan on your computer/shared workstation - just steal the session cookie or take control of browser remotely

(For U2F/fido keys/webauth based 2fa the situation is a bit different, but almost nobody uses that)

Side question: why is nobody losing their minds over the fact that almost all other MFA actions rely on your phone, which almost always has access to critical services (banking, work mail, personal mail, possibly ssh, etc).

I’m more concerned about losing my Device as many MFA tokens are not backed up in apple ecosystem.

The architecture is flawed for conveniences sake.

For me I weighed the risks and decided that losing my phone and getting locked out of services with 2FA was a more realistic problem than someone compromising my password manager.

I still use 2FA when it's available because it still protects against an individual password leak.

Because some sites/companies force people who do not want MFA to use MFA, and people aren't willing to sacrifice convenience for security like that.

(Probably also because some people really don't get the point of 2FA and demand that feature, but the above is enough of a legitimate reason to support it.)

One use case for password managers is account sharing among multiple people. Password managers make more money if they support that use case, which provides legitimate value in companies and families

Worth noting that a lot of services now force MFA even if the user doesn’t consider it important enough to warrant it (MFA is always a trade off between security on one side, and convenience and the risk of losing access entirely on the other hand)

Putting a TOTP code in a password manager is in many was a way of turning off MFA for services that don’t let you do this.

Where exactly are people supposed to store their recovery keys? I get that theoretically it’s supposed to be cold storage.

Suppose you’re actually targeted by government, and you want to protect access you only have two possibilities.

Store it in encrypted cold storage that people that are targeting you have access to or forget them altogether and lose access yourself.

I feel like people have forgetting what is actually being protected from.

Most MFA apps on iOS either store the keys in iCloud Keychain or some some third party sync service or not at all when your phone breaks.

I think the threat model isn’t well thought through at all.

An offline encrypted keystore doesn’t in fact have a worse security characteristic than most options listed above.

And yes theoretically an hsm is better but realistically speaking I think a physical key that I carry around every day isn’t almighty either.

Considering I don't know my passwords, nor can I generate TOTP codes off the top of my head, both are "things I have" for me (a password manager + TOTP manager). And because of this, I prefer to keep the two things separate. That way you need to compromise two services rather than just one.

Realistically though, once an attacker's gained access to your computer or phone, there's very little you can do to prevent them misusing that data. You can keep your TOTP on a second device encrypted with a Yubikey that you keep in a vault in Geneva, but it's not overly useful when an attacker can simply call your bank and read out the security reset SMS they sent you/him.

I'm happy to hear from security power users if there's anything I'm missing.

I asked this question on the 1Password forum 3 years ago, and thought the responses were interesting:

https://1password.community/discussion/101714/why-is-it-a-go...

If you are really strict about 2Fa, then in theory you would never be able to use your phone that you use for TOTP generation to login to Websites that use this TOTP Code either.

So I'm pretty sure I already broke this separation due to convenience. So might as well put it in my PW Manager.

It's slightly less secure, in the sense that if someone gains access to your password database they'll have access to your MFA codes as well. The only scenario this would really matter in is if something like your phone or laptop was stolen, but not both, and they already could unlock your database file.

Practically I'd say that using the TOTP functionality of your password manager is such a big win for the average user that I'd advise people use it without hesitation.

I think that you are right, but I don't want 2FA, so I use the TOTP from my password manager.

Also, I think that we should be able to reset a regular password with a TOTP?

Why do we need email?

It usually doesn't except when your threat model includes a scenario where physical compartmentalization is supposed to prevent giving up the secret under duress (you don't carry the out of band device with you to wherever you go). But in that case you're better off being able to plausibly deny the existence of that secret (or the communication channel) in the first place.

I personally have a second password database that generates my MFA codes. I only open that on my phone (because I think the KeePass desktop app doesn't support TOTP out of the box).

I guess in this case it's like a second password. Only really useful if someone only manages to bruteforce/spy my main master key but not the second one, right?

Would love to hear opinions on this, I might be missing something.

I really like having totp functionality. I use a yubikey for TOTP and boot into an air gapped machine with keypass to store the TOTP codes in case I lose or break the yubikey. I don’t store TOTP codes in my main password manager, but it’s not completely insane. You’re screwed if someone gets your decrypted password database, but you’re still protected from most other attack vectors.

TOTP and MFA are 2 different things even though they are often used together.

MFA is all about having a second physically held device to authenticate, TOTP is one of the mechanisms by which this is done.

Not everything needs MFA, however it is often mandated so having the ability to generate TOTP in a situation like this (such as when an account is shared and pure security is not crucial) is convenient.

Depends on type of attack/level of security vs convenience. Having both username, password and TOTP in you password manager protects against password leaks from cloud services, but not from someone stealing/getting access to the content of your password manager. Having TOTP on separate device protects against both, but is also a bit more inconvenient in daily use.

Different people have different goals. Just because a buyer for an organisation or a provider of a service wants users to use TFA doesn’t mean the users want to deal with it.

This is sort of like asking why do defence attorneys defend their client of the prosecution wants to convict them or why stores have security cameras if I want to take their stuff for free.

I think it’s a decent enough balance for most people.

It’s still something you know plus something you have. If your credentials are somehow intercepted, you’re still covered.

Presumably it only falls down in the event your machine is fully compromised at which point you have bigger things to worry about.

With that said, it’s worth having separate 2FA setup on your actual password manager.

I keep TOTP in my password manager, but my password manager is encrypted with a hardware key, a PIN code, and even getting the encrypted files depends on getting into my private git server.

I also only use TOTP on sites that don't support u2f/fido/webauthn or implement it badly (like amazon that only allows a single key).

I agree.

I use password manager for passwords.

Use my phone for lower security TOTP codes, and a hardware key for things I was slightly more secure.

What kind of attack does it make possible that is impossible without TOTP in the password manager?

I'm not considering online password managers which IMHO are inherently weaker than local ones.

If somebody steals my laptop the passwords database is protected by a master password anyway.

TOTP = Time-based One Time Password.

MFA = Multi Factor Authentication.

For those who didn't know, like me. I wish acronyms were less used or at least described when introduced. Like Elon Musk once said:

"Don't use acronyms or nonsense words for objects, software or processes at Tesla. In general, anything that requires an explanation inhibits communication. We don't want people to have to memorize a glossary just to function at Tesla."

Because a password manager isn't the only way a password can get exposed, and having a secure way to save your TOTP secrets is not a bad idea either in case you lose your hardware key.

Your laptop is a second factor device. You don’t need to reach for your phone to log into anything with 2FA. Use a program on your laptop so you can get a TOTP code with a keystroke.

Because nobody, not even fancy techies, really cares about security, they care about "good enough" and all the usability they can get.

Could you unpack the TOTP Acronym, please? I’m sure that it means something to you but it is not obvious nor as widespread as you may think.

We use it on shared accounts (sometimes they are inevitable) Before this feature, we had to rely on backup codes.

If it was on a different app on the same device, it still wouldn't be the 2FA you're talking about.

I work for an MSP who uses the MFA function of a password manager to access customer accounts, this means 2FA codes can be shared across teams of people and offers significant protection against credentials being stolen as they can't be used once access is revoked to the password manager. We turn off exporting the MFA codes so that also can't be stolen.

I agree otherwise all we’d need is a TOTP master password, and login to a service without password

A password manager (database) is not something you know. It's something you have.

Because users want it. Quite simple.

What users want > What is good practice.

What's TOTP?

I agree, it makes no sense to have them stored in the same password manager.

One of the things I like about 1Password is that we were able to switch off the built in TOTP for our whole organisation, and force all TOTP codes to go via Duo Security. Thereby forcing a separate 2FA app.