← Back to context

Comment by erikerikson

23 days ago

I disagree.

I use a password manager and systemically use long random passwords. An attacker would need to compromise my password manager, phish me, wrench me, or compromise the site the credential is associated with to get that.

Using local only TOTP (no cloud storage or portability for me, by choice) they would have to additionally phish me, wrench me, compromise my phone, or compromise my physical security to get the code.

None of these are easy except the wrench which is high risk. My password manager had standard features which make me more phishing resistant, and together they are more challenging than either apart. For example the fact that my password manager will not fill in the password on a non associated site means I am much less likely to fill in a TOTP code on an inappropriate site. Though there are vulnerable scenarios they aren't statistically relevant in the wild and the bar is higher regardless.

Now I happen to have a FIDO key which I use for my higher security contexts but I'm a fairly low value target and npm isn't one of my high security contexts. TOTP improves my security stance generally and removing it from npmjs.org weakened my security stance there.

5 comments

erikerikson

Reply
staticassertion  23 days ago

I'm confused. All an attacker has to do is phish you to get your password and TOTP.

TOTP would cover cases like a compromised password manager or a reused password. That's it, right?

  • erikerikson  23 days ago

    My password manager, as is standard for most of them, will not fill or show a password if the URL bring visited doesn't match the credential. Thus, a credential not showing is a huge red flag. The workflow is pretty standardized so any deviation is a big red flag.

    Maybe you can be more specific about the attack flow you are imagining and how it will work technically to bypass my controls.

    To answer your question, no and I provided details. It literally provides a second, non portable factor with a different vulnerability surface.

    • staticassertion  23 days ago

      > My password manager, as is standard for most of them, will not fill or show a password if the URL bring visited doesn't match the credential. Thus, a credential not showing is a huge red flag. The workflow is pretty standardized so any deviation is a big red flag.

      I agree.

      > Maybe you can be more specific about the attack flow you are imagining and how it will work technically to bypass my controls.

      Can you be more specific about the attack that your password manager doesn't solve that your TOTP does? The attack I'm suggesting is already solved by your password manager.

      2 replies →