Why does storing 2FA codes in your password manager make sense?

Original Article ↗ Hacker News Discussion ↗

Perceived Benefits of Storing 2FA in Password Managers

  • Main pro: easier setup, backup, and recovery; reduces risk of losing access when a phone is lost or upgraded.
  • Encourages wider 2FA adoption; many users will skip 2FA if it can’t be kept with passwords.
  • Autofill tied to domains can block many phishing attempts because credentials and TOTP won’t appear on mismatched sites.
  • For some, storing TOTP with passwords is seen as “good enough” and better than SMS or email 2FA.

Security Concerns and Arguments Against

  • Combining passwords and TOTP in one vault collapses two factors into one compromise point.
  • If a password manager is breached or a shared vault misused, attacker may get both password and 2FA secrets, turning 2FA into near-1FA.
  • Some see TOTP-in-password-manager as feature creep driven by convenience and marketing, not security.
  • Storing TOTP separately (another device/app, paper, second vault) forces an attacker to break two independent systems.

Phishing, Credential Stuffing, and 2FA’s Real Role

  • Disagreement on claims that TOTP’s “main advantage” is phishing resistance: TOTP and SMS codes are still phishable, especially with real‑time proxy attacks.
  • Several argue 2FA’s key value is preventing credential stuffing when users reuse passwords.
  • Time‑limited codes constrain a stolen credential to a short window, but automation can still exploit that.

Passkeys, Hardware Keys, and Factor Models

  • Passkeys/hardware keys highlighted as phishing‑resistant and better than TOTP in that respect.
  • Some note inconsistency: critics dislike co‑locating TOTP with passwords but accept passkeys tied to the same device/ecosystem.
  • Debate over the classical “something you know / have / are” model; some view almost everything as ultimately “something you know” (bits), others still find the model useful.

Usability vs. Purism

  • “Purist” stance: keep TOTP off the password manager for stronger separation.
  • Pragmatic stance: if separate 2FA causes lockouts or discourages 2FA, then storing TOTP in a good manager is a net win.
  • Especially for non‑technical users, passwords + TOTP in one manager may be significantly safer than weak or reused passwords without 2FA.

Alternative Setups and Backups

  • Common patterns:
    • Passwords in one manager, TOTP in a separate app (e.g., Aegis, Authy, FreeOTP+, Google Authenticator with sync/export).
    • File‑based managers (KeePass variants) with strong master passwords, keyfiles, or hardware keys; manual sync and offline backups.
    • Redundant devices for TOTP, printed or CSV‑based encrypted backups, or minimal “emergency” TOTP vaults on paper.
  • Some prefer hardware‑key 2FA (e.g., FIDO/WebAuthn, multiple keys) for critical accounts; TOTP‑in‑manager only for low‑value or forced‑2FA sites.