Comment by UltraSane
6 months ago
Google only added this feature recently. I am really conflicted about this feature. Without it you need to either save every TOTP code when you first set up the account or manually disable 2FA on every account and then enable it again so you can enroll it on a new phone. I used it when migrating to my most recent cell phone but then disabled it. Of course you have to trust that Google actually deletes the codes from your account.
Same with me, I had setup MFA using Google Auth for an important account I use.
Next day the phone broke, and I lost that account forever. I had not written the backup codes down anywhere.
Generating and storing your passwords, OTPs, and passkeys in a fully E2EE system like 1Password is effectively a root of trust, although you also have to trust (a) the password manager company, (b) whatever third-party systems and devices they use to build and deliver their software, (c) the quality of their cryptosystem, and (d) whatever device you use to decrypt/access secrets in your vault.
I trust 1Password. They are very open about how they encrypt data and how the key is derived. I like how they store your encrypted data locally in a SQLite DB. My only real concern is with storing passkeys because they cannot be stored locally yet and you are granting 1Password control over your access to any site you need a passkey stored with them. They are working on a passkey exporting process. I would feel better if I could have the same Passkey stored by 1Password and Azure and Google.
What is the advantage of passkeys compared to managing unique passwords with 1pw? Is there any tangible benefit to switching, besides that Google et al will stop hounding you to do so?
9 replies →
I don’t trust 1Password, but not for technical reasons. They like to play subscription games and hold accounts hostage. I’m moving to apple passwords myself.
1 reply →
Yup. If you DON'T have this feature, you're depending on every user who has TOTP 2FA to actually save their backup codes somewhere they can retrieve ~years later or back up their TOTP some other way manually. Naturally, most users will fail to do this, so you'll have to deal with how to securely reset the accounts of people whose phones got lost or destroyed.
But then if you DO have it, you have to deal with the situation in this story, where if you can compromise their one key account, you get all of their TOTP codes too.