Comment by unshavedyak
6 months ago
In my view the factors are attach vectors. If i wrote both my token and my pass down on a single sticky note, it's 1FA. If i have them on two stickies stored in two locations, it's 2FA.
Though i have no idea, that's just how i internalized it over the years. In your 1Pass example, it's a single attack vector (the password of my 1pass) to compromising both the token and the password of the product/server/thing.
How many feet apart do the two sticky notes have to be before it’s 2FA? :)
In the spirit of the idea, it would be the attack vector imo. So behind locked doors, buildings, safes, etc.
Eg a hacker can access my computer, even have a clipboard/keylogger on my machine, and have a difficult finding my token if it's on my phone. They need to attack my phone and my computer.
Having them both in your unlocked 1Password vault means if someone walks by your computer they can access your account. A single location with both of your "2FA". If they had a keylogger installed on your machine, they only need your single 1Pass password to breach your "2FA".
Granted i imagine that a Phone TOTP would still be a concern with a keylogger on your PC, since you still enter it on your compromised machine. Still more difficult than the having the totp key though, of course.
You're inventing a new definition of the term 2FA. The problem it was created to solve was the ability of attackers to remotely access services using weak or compromised user passwords. This is relatively low cost to do on a mass scale whereas rooting each individual's computer to compromise their password manager is not.