I imagine you've considered it already, but maybe your work would be willing to ...

unshavedyak · 2025-06-12T14:38:26 1749739106

Defeats the purpose of 2FA though. I'd argue a cheap 2FA-only phone would be good, if they're struggling to touch their real phone without being consumed by distractions.

xanthor · 2025-06-12T15:03:47 1749740627

It does not defeat the purpose of 2FA as possession of the decrypted 1Password vault is the second factor.

BobaFloutist · 2025-06-12T16:12:46 1749744766

Isn't that just remembering two passwords instead of one? And isn't two passwords instead of one basically the same as remembering one very long password?

For that matter, how do they prevent you from using the same password for both?

InitialBP · 2025-06-12T16:30:29 1749745829

https://news.ycombinator.com/item?id=44259556

I posted another comment explaining why 1Password Vault with both a password and a OTP code is still secure, but in short it does not defeat the purpose. Your vault's are protected and in the situation where someone gets access to your vault it's most likely to be full access to your computer at which point they have other viable methods to get access to a specific service you use.

jascha_eng · 2025-06-12T20:12:21 1749759141

Isn't the whole point of 2fa that if someone gets access to my computer they can't do shit because they'd need my phone too?

InitialBP · 2025-06-12T20:31:44 1749760304

The “whole point” of 2fa is that even if someone knows your password they cannot login with just credentials.

Compromising or stealing a device is a significant escalation from guessing passwords.

0cf8612b2e1e · 2025-06-12T23:27:16 1749770836

It is also more obvious when your device has been stolen vs just the password.

unshavedyak · 2025-06-12T16:02:41 1749744161

Well i'm assuming 1Pass is also storing the password. Ie if it's in the same place for your pass and token, it's 1FA, no?

dullcrisp · 2025-06-12T16:30:47 1749745847

No the two factors are something you have and something you know. Not something you have and another thing you have. In this case decrypting the vault requires two factors.

unshavedyak · 2025-06-12T17:14:20 1749748460

In my view the factors are attach vectors. If i wrote both my token and my pass down on a single sticky note, it's 1FA. If i have them on two stickies stored in two locations, it's 2FA.

Though i have no idea, that's just how i internalized it over the years. In your 1Pass example, it's a single attack vector (the password of my 1pass) to compromising both the token and the password of the product/server/thing.

dullcrisp · 2025-06-12T17:18:21 1749748701

How many feet apart do the two sticky notes have to be before it’s 2FA? :)

unshavedyak · 2025-06-12T17:39:52 1749749992

In the spirit of the idea, it would be the attack vector imo. So behind locked doors, buildings, safes, etc.

Eg a hacker can access my computer, even have a clipboard/keylogger on my machine, and have a difficult finding my token if it's on my phone. They need to attack my phone and my computer.

Having them both in your unlocked 1Password vault means if someone walks by your computer they can access your account. A single location with both of your "2FA". If they had a keylogger installed on your machine, they only need your single 1Pass password to breach your "2FA".

Granted i imagine that a Phone TOTP would still be a concern with a keylogger on your PC, since you still enter it on your compromised machine. Still more difficult than the having the totp key though, of course.