But be careful. If you access the passwords and 2fa secrets via the same credentials you are back to one factor authentication if secret + pass store ever get compromised.
Imho it's a different story if you use a separate gpg-key/secret to access the 2fa secrets (which should also only happen in emergency cases).
Yeah... I do the same thing. 2FA secrets in my password vault.
I KNOW it defeats the purpose. But honestly, where the heck else am I supposed to put them? I know from experience that printouts gets lost, and also that if someone were determined to hack me, the easiest route would be to break into my home and find the printouts.
So I guess I'm technically supposed to subscribe to a second password manager and store just my 2FA secrets inside of that, with a different master password. Or, put the 2FA secrets inside their own encrypted file stored in my password manager, but once again with their own password that... I can't keep in my password manager. But the biggest problem with both of these is I'm going to forget the password. I never forget my password manager master password because I use it weekly. But asking me to remember a password I last used 3 years ago because that's when I set up 2FA? It's not gonna happen.
It all feels so absurd that the UX side of me just rebels. Expecting users to store 2FA secrets in a different place from their passwords that is also just as secure... is just not something normal people are ever going to do.
It's misleading to say that storing your passwords and 2FA secrets in the same place defeats the purpose. There are several vectors here, right?
Enabling 2FA on a site (regardless of how or where the 2nd factor is stored) means if a malicious party were to obtain your plaintext password, they still wouldn't be able to access your account. So, outside of the entire discussion of password managers and secrets, 2FA does require a second factor.
Keeping your 2nd factor in the password vault does make the vault a much higher-value target. But it doesn't diminish the fact that if only your plaintext password is compromised (for example through a leak or re-use) the account is still protected until the point the 2nd factor is compromised.
Security is a spectrum, and often at odds with convenience. While demonstrating that something is provably secure is important, I feel we often fall victim to the nirvana fallacy when discussing the practical everyday use of these things.
> store 2FA secrets in a different place from their passwords is just not something normal people are ever going to do
Normal people, in the sense of people who do what the interface says to do instead of layering anything else on top, are told 2FA means "something you know, and something you have."
"Know" means it exists only in your mind; it is not stored elsewhere. "Have" means you cannot possibly produce it with your mind; it's stored elsewhere.
When abiding by this concept, "storing 2FA secrets in a different place from their passwords" (the former in some electronic or printed format; the latter in one's mind) is simple. Things get complicated when people start storing both in some electronic or printed format, but that's not what any login interface tells people to do.
The neologism "passkey" (a string used in lieu of a password, but which is not memorable, and therefore is destined to be something you "have") will probably help to sort out this concept: there would be no confusion about the fact that combining a passkey with totp constitutes two "have" items, and therefore is 1FA until combined with something else (biometric, probably).
Something you have: a password database on your PC.
Something you know: your master password.
TOTP is a nice addon, but you can store it in the same password manager. It will still help with some attacks (e. g. if a hacker manages to MITM your traffic, they only get the password + one code, which is not sufficient to log in again).
My laptop, which contains all this secret information, is way, way more secure than my phone. There's the boot decrypt password, login password, then gpg password. My phone has ... A pin.
And besides, this is fine as an archived backup in case someone loses their phone. It just so happens it's faster for me to xsel the output of oathtool than it is to unlock my phone, open app, select account, and remember code, esp because I live in the terminal anyway.
Android phones are encrypted by default, but for encryption, they use the same PIN as your lock screen. There's some command you could run to replace it with a strong password while keeping screen lock PIN simple, but it didn't work for me last time I tried.
> Surely the data is encrypted using a 128 bit key or better
I think so, yeah.
> and the key is stored on some secure enclave which rate limits PIN entries, is it not?
That – I'm not so sure about. I didn't really think about it too much before you pointed it out, but it would make sense for the Android floks to have implemented it. I'll look into it a bit later!
How is a regular user supposed to think of all this in advance? It's ridiculous. Securely proving your identity in case of loss of proof of identity is hard enough with just passwords. With 2FA it's pretty much impossible.
It may not help grandma as much as someone who maintains some popular opensource library that you may happen to use or someone that puts parts of their savings into crypto.
Who is more likely to visit this page (and use tools like pass) is up for you to decide.
The point still stands. Storing passwords and 2fa secrets inside in the same box will weaken the 2 in 2fa.
(Gmail's main target is not devs, or even computer literate people. And owning a smart phone =! literate.)
Grandma can always print the 2fa seed or write down the alphanumeric value and store it not next to the sheet with her passwords – same principle (I think she won't use pass anyway as opposed to the person I was originally replying to which tells me they are most likely technically literate).
Imho it's a different story if you use a separate gpg-key/secret to access the 2fa secrets (which should also only happen in emergency cases).
This can easily be done with pass.