this post was submitted on 05 Dec 2024
7 points (88.9% liked)

Security

5072 readers
1 users here now

Confidentiality Integrity Availability

founded 5 years ago
MODERATORS
 

I store my mechanically generated passwords in 1Password. And I do not use the password in any way.

In such a case, does it make sense to activate TOTP? In my immature opinion, TOTP is only effective if you are using the same password for multiple websites. If this is incorrect, could you please tell me when TOTP would be useful?

top 5 comments
sorted by: hot top controversial new old
[–] [email protected] 7 points 3 weeks ago

And I do not use the password in any way

Sorry, what?

[–] [email protected] 5 points 3 weeks ago

There are 2 benefits of using TOTP here:

If an attacker gains access to your password, maybe through a keylogger or browser extension, the TOTP code will expire after a minute, and the attacker won't be able to log in later.

Using 2-factor authentication (in general) allows you to keep your login information on 2 separate devices, such as using your computer to store passwords, and your phone to generate TOTP codes. Most people (me included) will probably use 1 device for both though.

[–] [email protected] 2 points 3 weeks ago

TOTP is only effective if you are using the same password for multiple websites.

Whether it's the same password you use for everything, or a different password for each individual service, a time based one time password will increase security by requiring a potential hacker to have access to your device or some well-kept secrets in addition to your password. Lacking TOTP, you reduce the amount of hurdles required to get into your account.

[–] tomcatt360 2 points 3 weeks ago

TOTP is used to increase security by requiring potential attackers to both know your password, and have your token generating device. Usually your phone. It is useful even if you have unique passwords because the attacker needs access to both your password management solution and to your token generating device to gain access. In my opinion, it's worth setting up TOTP on all accounts that you care about.

[–] [email protected] 1 points 3 weeks ago

In general TOTP is recommended when offered. Aside from what other people are bringing up about added security when using password authentication, many sites use TOTP in the account recovery process when a password is forgotten. This is an old example, but in this case, attackers were able to do a forgot password for Gmail which sent a recovery email to an Apple email address, which the attackers were able to access. Had Mat been using MFA for Gmail, the attackers would have been prompted to provide an MFA code before the recovery email would be sent, thwarting the attack.