2FA Sucks

LTT did a video 5 months ago with the outro sponsor being Keeper, and one of the talking points being keeping 2FA codes in Keeper the password manager. It was the video on upgrading Linus's home NAS swapping out an 8TB archive drive to the 22TB drives.

Security researcher here. If someone has the capability of having a software keylogger on your computer, they have the capability to dump the cleartext content of your password manager once you unlock it. It’s basically game over once an attacker can execute anything on your computer in your user session.

The biggest issue I have is with platforms ( specifically gov ones ) is when they force you to change your password every 1 month / 3 months and it can't be the same as any password you used in the last couple of years.

12:30 it still relies on a static key, the alternating code just works off of an algorithm based on the current time. The underlying key is still static.

Bad clickbait title. Linus is clearly referring to specific things, NOT 2FA in general which it implies.

The number of times I've HAD to go back to Bank of America because whenever I try a small bank their security is run by IDIOTS.
"We made it so you can't copy and paste a password to be secure!" > I use a password manager to have passwords that are longer then the heat death of the sun.
"You can't have 2 repeating letters" > just WTF?
They say "it's for your security", except whoever they hired is insanely stupid.

2FA in your password manager is better than no 2FA. So for people who will not accept the inconvenience, It is still technically more secure than no 2FA at all. That said, it’s obviously less secure than keeping your two FA separate from your password manager, as the password manager becomes a single point of failure. To that point though I think most people probably think a little bit harder about how they’re securing their password manager.

When I was getting a password manager for my company, I tried asking the sales representatives of all companies we checked as to whether we can disable the ability to save 2fa codes. all of them said no.

Teams on a Mac = Nightmare! If you're logged in you can't join meetings. Mail links take you to the app, the app takes you to login on the web, back to the app and then it fails to join.
The web version works until the laptop becomes completely unresponsive. This helped🗑

For 90% of users it is a good recommendation to store everything in one place and have it really well secured instead of having multiple things that are badly secured

As I understand it: The main difference is between apps and browsers. Apps are generally considered to be a more trusted environment. Where once the device is verified, it can remain verified, and that device can be used as a factor of authentication. Whereas browsers are generally considered less secure, and have to be regularly re-authenticated.
To some extent, I think that is logical. But some of it seems to be irrational and overzealous security theatre.

Signing you out frequently is considered bad practice in the modern day. It creates login fatigue where you won't be as vigilant against phishing.
Also 2FA is a bad name for what it really is. 2FA is NOT a "Second" Authentication. It's a STRONGER authentication. 2FA is not meant for you, it's for preventing unauthorized users.
Putting your 2FA in your password manager is not only fine, you should put it there because the actual secret should be in a secured place.
You still need to secure your password manager. Also, yes put a 2factor on your password manager. It should be a backed up TOTP on your phone with google auth or aegis, etc.
That being said. Passwordless auth with passkeys is the new hotness that is really good. Start using that.
PS: Autofill is always configured if the URL matches. Autofill is secure by design it will NOT enter into malicious boxes.

I use KeePass and just sync the database file to my own Nextcloud server. Plus, the database has a REALLY long password. It's basically a long ass sentence that I have memorized. Online password managers kinda scare me.

Google has never signed me out on my pc, like ever. Aside from recently on youtube im getting a glitch where it says im logged out but I refresh my screen or click the login button I was never logged out

Teams auto logging out: Check your conditional access policies on your tenant, you may have a policy that controls session persistence. This will hard kill O365 app signins and Teams. Can put an exception in so the Teams app is excluded. Have seen this before. I suspect your IT team did something post incident from last year?
Also, with MFA, it's recommended now to only allow methods that are considered phishing methods, such as passwordless, FIDO2 keys etc. Email, SMS and passwords are not secure forms of MFA anymore.

After learning that both of them are using Chrome, this take does not surprise me.

It's probably not that great to store 2FA in a cloud based password manager. I accept it for an offline based one like KeePass (especially if it's on a hardware encrypted flash drive and/or 2FA'd with a hardware key) It's really up to the user's personal risk assessment but generally probably not the greatest idea.

My schools garbage website will one up all of these. It will automatically log you out after about an hour of not being used, It has no option to stay logged in and to top it off we have to change our passwords every month.

The worst 2FA is using the dreaded 6 digit code. Screw Roblox, people keep getting hacked with 2FA. 2FA 6-digit email code is child's play. What is the chance it is brute forced? Why cant 2FA codes be a jgkst7932gjlahjh92hdjs instead of numbers?

Discord logs me out far too often. I game once every 3 to six months with friends and I always have to log back in

I just spent a week trying 5 password managers to switch away from a over priced one, all offer 2FA built in as a premium option, I work in security, this is a extremely bad ideal, most people reuse bad passwords, or postits on their monitors.. None of the password managers we tried didn't meet our requirements. 2FA needs to be outside of where you keep your passwords.

You have something misconfigured on your credential or Teams organization enterprise account settings. Teams doesn't auto-log you out, unless you set it up to do that or have a Windows credential issue. Try removing the Teams credentials from Windows credential manager in the control panel. If that doesn't work then it is your Microsoft enterprise account settings that is logining you out.

Crazy perspective... I'm a 10+ year Apple Mac user in the education, tech, and live entertainment realm who manages a Mac computer lab with somewhat continually updates devices (MBP, MBA, iMac, Pro, and Studio) but who has personally lived off an entirely fixed 2012 iMac and every-five-year-updated Android smartphones and a single Apple-managed biometric. The rest is Google Auth and 3rd part personal 2FA and work MFA (though mostly 2FA).

There's three factors of authentication.
- Something you know: A password/PIN
- Something you have: A keycard or an authenticator on your phone
- Something you are: Biometrics.

What are they talking about? Google never signs you out on PC!

nothing cant be hacked all security is is making the criminal go after you nebour with less security (to escape a bear just be faster then the slowest person)

Y'all should have a look at the new 2fa that is Un-pishable/phish resistant. Beyond Identity is doing this for SSO apps at companies. It uses a client on the machine that has a certificate to prove its your device trying to auth.

As a tech support person who is asked to "just fix it" when it can mean logging in as the user and pinning a shortcut to their desktop, taskbar, start menu, or web browser bookmarks, 2FA is extremely frustrating to me, because I CANNOT log in outside of work hours to do my job unless the person whose problem I am fixing is sitting in front of their phone waiting for me to log in as them so they can tell me the code. God help me and them if someone steals their phone or they accidentally forget it on a plane or in a hotel room or drop it in a sewer grate.

if someone has access to your system in that they can add Software to it, then you're already at the point where you can sniff the DRAM Operations as they happen since you can see when things are happening based on the users' actions - so you can capture the data as the Computer is enacting it.
similarly the Memory that's storing the data in the Passphrase Manager, just have to wait for the user to ever use their Manager, even a single time.
once your Device is compromised it's always over. if you can't trust the Device then you can't trust anything.

Honestly all this video did was make me realize I have an additional vulnerability by having my email password in the password manager instead of my head.

Steam does sign you out after 2 weeks of not being connected to the internet.

I make sure I have a seperate app for my 2FA out of paranoia.

07:34 You're a person frequently on the go, bringing your laptop with you wherever you go, suddenly you forget to grab your laptop leaving from the coffee shop, someone steals the laptop from the tabletop, and easy access to all your accounts they got.
I suck at rhyming and all that, but whatever, point is the same, if the 2FA is automatic through the Password Manager it ruins the point of having a Password Manager in the first place, as anyone that gets access to the laptop can easily get access to all the accounts, especially if you leave your laptop with Password Manager's Browser Extension always logged in.
At least without the 2FA automatically being input through the Password Manager, you would get a pop-up message on your phone warning you "Hey, did you try to login just now?" and you could reject it, then try to get your laptop back, or if you can't do that and have the ability, lock the laptop so its pretty much useless to whoever stole it.

He was weirdly confidant that it wasn't safe given the number of password managers saying it is.

We haven't had any of these problems with Teams since upgrading to New Teams. It used to be terrible but we enjoy using it at the office now...which feels like whiplash even to us.

I store my backup codes for 2FA on a secondary keepass database that I keep in a separate USB drive. Is that paranoid enough?

Teams signs me out three times a day, maybe 4 but I am asleep at midnight. It signs me out at 9am, 12:30pm, and 4:30pm, of ehich I have to get my phone, open and use Duo or Microsoft authenticator, then scan my finger print. And I have to do this on my phone, and my work laptop for Team, Outlook, and Office... Separately. So 18 times at minimum per day in total I have to use 2FA. Like I am for security, but I just dont think this is a reasonable number of times.

I think the point of having 2fa in password managers is if the one login password gets hacked. Yeah you're boned if the password manager gets hacked, but that's not what the 2fa in the password manager is trying to stop. The good password managers support things like fido.

Assuming TOTP, you use a 64- whatever bit string of characters to randomly generate a time-based one-time code, which means that one-time code is not easily attackable because you can't test and verify if you've created the correct string to generate the same responses. The question isn't about getting hold of your crypto vault. If they got your crypto vault, they got the rest of your device anyway. In that way, TOTP, the second factor still matters because people aren't brute forcing or stuffing or otherwise building an attack targeted at you, they're not phishing you. The second factor still prevents that.

You could always use a harware key to secure your key vault

it's fine to store 2fa in password manager, just make sure that PM never get compromised and you can have 2fa for that PM on different platform and have 2fa password as separate password

20:42 - this is false. A password manager will only autofill on the domain that the password was created under. If anything, keep autofill *on*. If your password isn't autofilled where you expect it to be, check the domain of the site you're on.

i have never encountered any google thing signing me out on my pc

It's all security theatre.

Microsofts logout is tied between all apps and per device. The compliancy setting is what is logging you out and if it is once every 7 days it will be down to the minute. Monday at 8:52am you logged in, you will be logged out at 8:52am the following Monday. Do not log back in till noon, the following week will be noon.

well, my work gmail is being stupid sometimes but everything else never logged me out
what has been troublesome was Android refusing to use my yubi key few times but that seems fixed now

TH-cam never signs you out

Authentication on computers is fundamentally broken at this point, and 2FA is just a band-aid on wound that keeps bleeding. We need something else.

So you can do it in a certain way. They way we do it. Is Corporate passwords that everyone needs access to. Are in our Password manager with the OTP. But our password Manager is protected by indidual accounts and 2FA.

2:10 - gmail logs you out? not on normal accounts

I don't think I've ever had Google sign me out of my gmail account on any of my devices, especially not once a month.

if they have a key logger they steal your tokens, cookies

How does nobody talk about that companies dont fucking need your phone number to do this shit but do it anyway.

I think it might differ depending on country? My GMail account is literally logged in on my desktop for around 8 Months in Switzerland.

I never get singed out in Teams

Think they are confused that the 2fa on the password manager is a one time code not a static 2fa like a backup code 13:32

In my org if i get signed out of my phone i use the 2fa on my phone to signe in... Perfect security

Meanwhile, there are government STIGS against using password managers and auto-fill and require everything to be memorized and typed each time.

Shortcuts need to be easily customized

“If they have x they have z” WHAT?!?!? The whole point of 2FA is to keep it separated! I can give up all my passwords, it won’t get you any of my 2FA. I don’t understand this statement at all

Since google authenticator now is cloud backup, besides yubikey is there any other 2fa timed one time rolling password that is stored locally/offline like an apk or sdk that can have on SDCard???

2FA is really not 2 FA, it's an alternative 1 FA, as you can just reset all your passwords with just your phone; you don't need a password to access the account. I'm way more scared of someone stealing my phone than guessing a stupid strong password.

People who store 2fa in pw manager are same people who don't use soap or deodorant.

Linus, the reason your laptop gets logged out on desktop is a reason youve already experienced. Session tokens

What do you mean when you say that you can "store your 2FA in your password manager"? To me, 2FA is a code from another source. Those codes expire, so there's no point in storing them? Do you mean something else? Like storing the PASSWORD to your email or something? If that's what they mean, it seems really weird to call an email password a "2FA."

Use hardware for 2FA, it can't be compromised. I use a hardware password manager, Mooltipass, for my password manager.

love seeing the note 9 best phone ever made

You can access every password in plain text in the chrome password manager, if you happen to know the login to the windows pc. No 2fa or anything.

Passwordless should be the future 2fa codes. I love all passwordless systems

Odd, I never get logged out of Teams on my Mac. Ever.

I agree with Linus, very little in life passes me off more than MS

Storing 2FA OTPs in mangers makes no sense to me either.

putting your 2FA into a password manager makes it a 1FA, just in a different place
if an attacker doesn't get into your vault it works like 2FA, if they do it's 1FA

This would be a good video to do tbh. get a few large security companies that are in related fields (Checkpoint, Fortinet, Barracuda etc), and discuss security ideas.

Your Teams issues is bizarre. We have almost 200 users and that doesn't happen to anyone.

Hey Linus, TH-cam is deleting technical comments on your videos before the comments even go live

Turning 2 factors back into 1 factor with extra steps is not fine.

Slack logged me out as I watched this video lol

I never got any of my gmail accounts logout on the desktop, only if I clear the chache or formate the PC, it can go months, never happen, but I'm also not Linus, and I was never hacked that way, the best hack attempt I got was a DDOS back in 2013 xD

You aren’t understanding what 1p is saying. They are only talking about their website

I think Linus is still salty over one of his employees executing that malware that stole all the cookies so it could emulate his computer login session.

I've deployed and managed countless M365 environments and have never seen the sign out issues you've been experiencing. Very strange. Certainly seems like a niche issue.

They took the 2 from FA

So there is answer is Beepers sending your beeper a 2fa code

man LTT without Luke wouldn't be the same. Linus, probably is, but should be really grateful.

EA & Epic log me out semi regularly.

Am I the only person in the world that has never used a password manager?

2FA for your master password?

biometric security is bs though...

Putting 2FA backup codes into the password manager is a very, very, bad idea. So now if you lose access to the password manager, you've lost Everything.

Teams always has me logged in

absolutely😊

team doenst seem to log me out but keeps trying me to try new teams which is awful wants to send a shared doc rather than send a copy an others

Using your password manager as a 2FA provider is simply a security for convenience tradeoff, making the second factor more like a half factor. Using 2FA in such way adds some security and doesn't take away from convenience.
You can always use stronger factors for accounts where you don't trust your password manager as a single point of failure.

2FA means Two-Factor Authentication.
Usually it means that it's something that you have and something that you know. If your password manager is tied to a specific set of authorized devices, e.g. locally or behind "approve sign-in" type prompt as in Chrome, then an attacker both needs an authorized device and also the password for the password manager, which still fulfills the criteria of 2FA, at least in academic terms.

"Of course my site has 2 factor authentication! The first factor is the username, and the second factor is the password"

the amount of companies that use a phone number as the "second factor", and then let you reset your password with just a phone number 😡

The worst type of 2FA is those security questions

“You need a shortcut to make Teams go away” - yup basically my mom’s experience too

2FA in password manager is fine because if your password is leaked or breached, they still don't have access to the 2FA to login. It's less secure in the case somebody gains access to the password manager, but the daily convenience of autofill 2FA with pretty good security for breached passwords beats pulling out an offline authenticator on a phone for every single login for most users.