4

So I use a password manager with to generate a (strong) unique password for each and every site I have a username / password for.

For the ones that allow it I also enable TOTP (Time-based One-Time Password) 2TF.

This got me thinking.

Theoretically the only way somebody would get their hands on my password (excluding MTM attacks) would be for the password table of the site I'm using to leak, at which point in time the TOTP seed would leak too.

So what exactly is TOTP supposed to be protecting against? Is it intended as a protection against: MTM, key logger, over-the shoulder viewer?

John
  • 41
  • 1

1 Answers1

3

Two factor authentication cannot protect you from a site breach. If someone gains access to the sites password database odds are they have access to any confidential data on that site too.

Two factor authentication protects you from somebody else obtaining your password. If you view this as impossible 2FA is unnecessary. With most TOTP systems this relies on you having possession of a device with the relevant key installed as well as the password to log in. Often this device is separate to the device used to access the service (i.e. a smartphone for the token generator and a laptop for the service) which also offers some protection (your session can still be hijacked) should the device logging in from or your password manager be compromised.

The main risk for yourself is probably the password manager. Vulnerabilities do occur in these. This becomes twice as important if the passwords are stored online - since they are visible to machines you do not control.

Hector
  • 10,893
  • 3
  • 41
  • 44