Question Is enabling 2FA every time you login to your password manager and overkill?

  • Thread starter ForgottenSeer 94943
  • Start date
F

ForgottenSeer 94943

Thread author
Hello,

I am using both Sticky Password and Dashlane for different purposes. Now in Sticky Password, when you first install it on a new device, it send a PIN to your email to authenticate the new device. Now in the settings, there is an option to enable 2FA. If you do so, you need to enter OTP each time you open Sticky Password (even on an authenticated device).

In Dashlane, you have the choice. Either you make it ask for OTP only for the first time you install it, or you make it ask for it each time you login to Dashlane.

Now my question is, what does asking for OTP each time you access your password manager offer? What does it protect you against? For me it is very inconvenient, but if it is worth it, I will enable it. So what do you guys think?
 

rain2reign

Level 8
Verified
Well-known
Jun 21, 2020
375
In my experience and knowledge, it's a matter of give and take.

A password manager should always be locked with a master password, and a (T)OTP on top of that prevents access to your password manager for when that master password has either been breached, cracked or found out. Then they'd have to go through the second layer which you'd have the TOTP code needed for through your 2FA app on android for example.

You'd have to choose whether the inconvenience is worth it for your uses and habits.
 
F

ForgottenSeer 94943

Thread author
In my experience and knowledge, it's a matter of give and take.

A password manager should always be locked with a master password, and a (T)OTP on top of that prevents access to your password manager for when that master password has either been breached, cracked or found out. Then they'd have to go through the second layer which you'd have the TOTP code needed for through your 2FA app on android for example.

You'd have to choose whether the inconvenience is worth it for your uses and habits.
You made a good point, but does this feature enhance the overall security? When one has 2FA enabled and enters the master password, is the vault decrypted after or before requesting OTP. Is the 2FA required for vault decryption or does it just restrict access to the UI? I believe I have to contact support to gain answers. Anyway, thank you very much for your comment.
 

SpiderWeb

Level 9
Verified
Well-known
Aug 21, 2020
446
I make my 2FA for my password manager my physical security key. One touch and I'm in. I don't think it's overkill. But I have it set up to unlock via biometrics so I'm honestly only truly logging into my password manager once every blue moon. Sometimes it has been such a long time that I'm struggling to remember what my super long password was lol.
 
F

ForgottenSeer 94943

Thread author
I make my 2FA for my password manager my physical security key. One touch and I'm in. I don't think it's overkill. But I have it set up to unlock via biometrics so I'm honestly only truly logging into my password manager once every blue moon. Sometimes it has been such a long time that I'm struggling to remember what my super long password was lol.
Yes 2FA for your password manager should always be enabled. But that was not my point. My point was about 2FA mode Whether it is requested only once on the same device or requested every time you access your vault.
 

Brahman

Level 15
Verified
Top poster
Well-known
Aug 22, 2013
700
Yes 2FA for your password manager should always be enabled. But that was not my point. My point was about 2FA mode Whether it is requested only once on the same device or requested every time you access your vault.
Cookies can be stolen, if you are a risky user, visits lot of dangerous websites, or if there are multiple users, you should enable such an option. But if you have a system with locked down configuration with default deny security software and with a private DNS firewall with dot or doh ( like nextdns either system level or on router level) or with advanced hardware firewall configuration ( like pfsense/ opnsense with snort/ suricata) you can relax on such an option to enter 2Fa password every time you login.
 
Last edited:

Amnesia

Level 1
Aug 23, 2021
18
On my devices, I just use a simple PIN/biometrics, on a new device I need my long ass complicated password and a code from an auth app.
It's not that I don't remember my password. I do, it's just that... it's not very convenient to type it everytime I open my PC / phone.
 
  • Like
Reactions: ng4ever and plat
Top