Advice Request Is enabling 2FA every time you login to your password manager and overkill?

  • Thread starter ForgottenSeer 94943
  • Start date

Please provide comments and solutions that are helpful to the author of this topic.

F

ForgottenSeer 94943

Thread author
Hello,

I am using both Sticky Password and Dashlane for different purposes. Now in Sticky Password, when you first install it on a new device, it send a PIN to your email to authenticate the new device. Now in the settings, there is an option to enable 2FA. If you do so, you need to enter OTP each time you open Sticky Password (even on an authenticated device).

In Dashlane, you have the choice. Either you make it ask for OTP only for the first time you install it, or you make it ask for it each time you login to Dashlane.

Now my question is, what does asking for OTP each time you access your password manager offer? What does it protect you against? For me it is very inconvenient, but if it is worth it, I will enable it. So what do you guys think?
 
  • Like
Reactions: byronbytes, Stopspying, show-Zi and 3 others
F

forgottenuser79643

Level 8
Jun 21, 2020
363
In my experience and knowledge, it's a matter of give and take.

A password manager should always be locked with a master password, and a (T)OTP on top of that prevents access to your password manager for when that master password has either been breached, cracked or found out. Then they'd have to go through the second layer which you'd have the TOTP code needed for through your 2FA app on android for example.

You'd have to choose whether the inconvenience is worth it for your uses and habits.
 
  • Like
  • +Reputation
Reactions: Stopspying, show-Zi, Oldie1950 and 3 others
F

ForgottenSeer 94943

Thread author
rain2reign said:
In my experience and knowledge, it's a matter of give and take.

A password manager should always be locked with a master password, and a (T)OTP on top of that prevents access to your password manager for when that master password has either been breached, cracked or found out. Then they'd have to go through the second layer which you'd have the TOTP code needed for through your 2FA app on android for example.

You'd have to choose whether the inconvenience is worth it for your uses and habits.
Click to expand...
You made a good point, but does this feature enhance the overall security? When one has 2FA enabled and enters the master password, is the vault decrypted after or before requesting OTP. Is the 2FA required for vault decryption or does it just restrict access to the UI? I believe I have to contact support to gain answers. Anyway, thank you very much for your comment.
 
  • Like
Reactions: Stopspying, show-Zi and ng4ever
SpiderWeb

SpiderWeb

Level 13
Verified
Top Poster
Well-known
Aug 21, 2020
608
I make my 2FA for my password manager my physical security key. One touch and I'm in. I don't think it's overkill. But I have it set up to unlock via biometrics so I'm honestly only truly logging into my password manager once every blue moon. Sometimes it has been such a long time that I'm struggling to remember what my super long password was lol.
 
  • Like
Reactions: Stopspying, Mystic, ng4ever and 2 others
F

ForgottenSeer 94943

Thread author
SpiderWeb said:
I make my 2FA for my password manager my physical security key. One touch and I'm in. I don't think it's overkill. But I have it set up to unlock via biometrics so I'm honestly only truly logging into my password manager once every blue moon. Sometimes it has been such a long time that I'm struggling to remember what my super long password was lol.
Click to expand...
Yes 2FA for your password manager should always be enabled. But that was not my point. My point was about 2FA mode Whether it is requested only once on the same device or requested every time you access your vault.
 
  • Like
Reactions: Stopspying, ng4ever and show-Zi
Brahman

Brahman

Level 18
Verified
Top Poster
Well-known
Aug 22, 2013
886
Lament said:
Yes 2FA for your password manager should always be enabled. But that was not my point. My point was about 2FA mode Whether it is requested only once on the same device or requested every time you access your vault.
Click to expand...
Cookies can be stolen, if you are a risky user, visits lot of dangerous websites, or if there are multiple users, you should enable such an option. But if you have a system with locked down configuration with default deny security software and with a private DNS firewall with dot or doh ( like nextdns either system level or on router level) or with advanced hardware firewall configuration ( like pfsense/ opnsense with snort/ suricata) you can relax on such an option to enter 2Fa password every time you login.
 
Last edited:
  • Like
  • Thanks
Reactions: plat, Stopspying, Mystic and 3 others
Amnesia

Amnesia

Level 1
Aug 23, 2021
47
On my devices, I just use a simple PIN/biometrics, on a new device I need my long ass complicated password and a code from an auth app.
It's not that I don't remember my password. I do, it's just that... it's not very convenient to type it everytime I open my PC / phone.
 
  • Like
Reactions: ng4ever and plat

Similar threads

giulia
    • Like
Question what do you use to store and keep very secure offline your password?
Replies
7
Views
419
General Security Discussions
McLovin
McLovin
BigWrench
    • Like
On Sale! NordPass Password Manager (1-Year Subscription) - Download $9.99 with code LABDDV24297
Replies
0
Views
297
Discounts and Deals
BigWrench
BigWrench
Victor M
    • Like
    • +Reputation
New Update 2FA (second factor authentication) for Ubuntu (cheap security)
Replies
3
Views
614
ChromeOS & Linux
Doss
D

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top