2FA Sucks

Bad clickbait title. Linus is clearly referring to specific things, NOT 2FA in general which it implies.

Security researcher here. If someone has the capability of having a software keylogger on your computer, they have the capability to dump the cleartext content of your password manager once you unlock it. It’s basically game over once an attacker can execute anything on your computer in your user session.

Using your password manager as a 2FA provider is simply a security for convenience tradeoff, making the second factor more like a half factor. Using 2FA in such way adds some security and doesn't take away from convenience.
You can always use stronger factors for accounts where you don't trust your password manager as a single point of failure.

"Of course my site has 2 factor authentication! The first factor is the username, and the second factor is the password"

The biggest issue I have is with platforms ( specifically gov ones ) is when they force you to change your password every 1 month / 3 months and it can't be the same as any password you used in the last couple of years.

the amount of companies that use a phone number as the "second factor", and then let you reset your password with just a phone number 😡

LTT did a video 5 months ago with the outro sponsor being Keeper, and one of the talking points being keeping 2FA codes in Keeper the password manager. It was the video on upgrading Linus's home NAS swapping out an 8TB archive drive to the 22TB drives.

2FA means Two-Factor Authentication.
Usually it means that it's something that you have and something that you know. If your password manager is tied to a specific set of authorized devices, e.g. locally or behind "approve sign-in" type prompt as in Chrome, then an attacker both needs an authorized device and also the password for the password manager, which still fulfills the criteria of 2FA, at least in academic terms.

12:30 it still relies on a static key, the alternating code just works off of an algorithm based on the current time. The underlying key is still static.

The worst type of 2FA is those security questions

“You need a shortcut to make Teams go away” - yup basically my mom’s experience too

2FA in password manager is fine because if your password is leaked or breached, they still don't have access to the 2FA to login. It's less secure in the case somebody gains access to the password manager, but the daily convenience of autofill 2FA with pretty good security for breached passwords beats pulling out an offline authenticator on a phone for every single login for most users.

For many people, if they don’t store 2FA in their password manager, they would store it in a 2FA app on their phone. Which if their phone got compromised, the 2FA app would still be compromised. Then there’s no difference between saving 2FA in password manager and in a separate 2FA.

For 90% of users it is a good recommendation to store everything in one place and have it really well secured instead of having multiple things that are badly secured

Alot of government sites and programs have gone to zero trust, even on government devices. Meaning, I log onto a government laptop and go to use a browser, the browser will require that I log into it in order to access just the browser. Then, I goto a government site, Im required to login, again. Open outlook, login required. Teams, login required. Its obnoxious, but its security in layers.
Ultimately, we have no one to blame but ourselves. The weakest link in any security is operator complacency. We know that we should or shouldn't do something because it may compromise security but we don't because it requires too much time or effort or it won't happen to me.

Weird. I've used Teams for half a decade at this point and I've never experienced the issue they're talking about here. It has never logged me out randomly. And that's across half a dozen different laptops.

The only reason I store my 2FA passwords in my password manager is because the only way to get into my password manager is with a physical security key as a 2FA option, _combined_ with the emergency key.
So the literal only way someone would be able to get my passwords & 2FA is if the password manager database leaked, and they guessed my password (which is not an easy one to guess, it's very long with symbols and such)

My school thinks its a good idea to have us login every single time with 2fa. It makes just checking due dates painful, much more so in an area with slow internet. I'd gladly sacrifice the security for simplicity.

2FA in your password manager is better than no 2FA. So for people who will not accept the inconvenience, It is still technically more secure than no 2FA at all. That said, it’s obviously less secure than keeping your two FA separate from your password manager, as the password manager becomes a single point of failure. To that point though I think most people probably think a little bit harder about how they’re securing their password manager.

Signing you out frequently is considered bad practice in the modern day. It creates login fatigue where you won't be as vigilant against phishing.
Also 2FA is a bad name for what it really is. 2FA is NOT a "Second" Authentication. It's a STRONGER authentication. 2FA is not meant for you, it's for preventing unauthorized users.
Putting your 2FA in your password manager is not only fine, you should put it there because the actual secret should be in a secured place.
You still need to secure your password manager. Also, yes put a 2factor on your password manager. It should be a backed up TOTP on your phone with google auth or aegis, etc.
That being said. Passwordless auth with passkeys is the new hotness that is really good. Start using that.
PS: Autofill is always configured if the URL matches. Autofill is secure by design it will NOT enter into malicious boxes.

If you use Google authenticator you can just as well have your 2fa in your manager. Given that google authenticator is backed up online anyway and not specifically password protected.

Last comment it’s correct. These people aren’t experts, even though they talk like a position of authority for every single topic they talk about.

Teams on a Mac = Nightmare! If you're logged in you can't join meetings. Mail links take you to the app, the app takes you to login on the web, back to the app and then it fails to join.
The web version works until the laptop becomes completely unresponsive. This helped🗑

I do store my Google backup codes in my password manager because it doesn't matter with their chaotic systems anyway. Last time Google didn't even give me the option to use backup codes or SMS, it forced me to specifically confirm the 2FA popup on an old phone I haven't used in half a year, without any other option. What if that phone breaks? No idea. Google/Android also once opened a popup on my homescreen to tell me to rate the preinstalled phone app.
They have automated more and more of their stuff and now it's starting to fall apart.

I think its mostly fine as long as you have mfa enabled on the password manager; you need physical access or an export of an unencrypted database as long as the manager is decrypting in app.
If you also required 2fa (or even 3fa) to export a version of the document & dont store any of the password manager's 2fa codes, then the only way to get access is to have physical (or remote) access.

When I was getting a password manager for my company, I tried asking the sales representatives of all companies we checked as to whether we can disable the ability to save 2fa codes. all of them said no.

Get yourself two Yubikeys and you are good to go.

For some reason my school authenticator does not allow me to "Stay logged in" The button for it is there but it does nothing. So when my token expires after just a few hours of work, I have to log in and authenticate with the app again. So sometimes I have to log in and authenticate 4-5 times a day from the SAME device, from the SAME location, a DAY. Its just so crazy over kill ridiculous.

I put my one time passcodes in my password manager for a lot of my accounts. The biggest reason I do so is because my wife and I share logins for a lot of shared accounts, and our family password manager plan allows us to share that 2FA login code between us. For a lot of accounts, there’s no other way to do that besides one of us having to get on the phone with the other party to share a 2FA code when signing into shared accounts. So it’s the difference between having 2FA enabled on an account versus not.

Went to a talk by a Google employee on security of their internal system. They have multifactors that depending on the factors depends on what they can see.
So even if your role is the most trusted (Lead tech) and you have your physical security key to authenticate with if you are signing in from a computer you haven’t signed in from before or abroad then that will be flagged. But you’ll still be signed in with scope to see the least sensitive stuff. But say the management of production servers wouldn’t be allowed because of the physical factor of an “untrusted” computer. Always wanted to look more into the implementation of this

My password manager doesn't do 2fa, if it did, i would most definitely use it as 2fa is required in soo many unnecessary places. The 1 place i see different is email as that is the biggest security risk

As I understand it: The main difference is between apps and browsers. Apps are generally considered to be a more trusted environment. Where once the device is verified, it can remain verified, and that device can be used as a factor of authentication. Whereas browsers are generally considered less secure, and have to be regularly re-authenticated.
To some extent, I think that is logical. But some of it seems to be irrational and overzealous security theatre.

My college forces me to enter a code *every 7 days*

I had this issue with Discord, when they updated the app, and changed all of my settings. Completely locking me out of my account.
I even emailed their customer service, and there is nothing they can do.
🤦

From the way I see it, any 2FA is better than nothing including 2FA in your password manager, but 2FA with an offline app on your phone is best. Prior to Google authenticator allowing you to sync to your Google account, if you lost your phone then you better hope you have your backup codes handy. So the argument that I used to hear extremely often is the backup argument, although less common now since Google Authenticator allowing you to back up to the cloud

MS Teams does many things wrong, but I never had the issue of being logged out, either on my phone or my computer

After learning that both of them are using Chrome, this take does not surprise me.

Having the 2nd factor in your password manager is very comparable to how passkeys work. It takes away many of the risks passwords have (them being stolen by keyloggers, malicious browser plugins, malware, social engineering, man in the middle, dns poisoning...). It's definately NOT an actual 2nd factor, but it does increase security!
The 2nd factor never leaves the vault (only timed codes do). So the only way to "steal" it would be by breaking said vault. The same can not be said for passwords.

There's three factors of authentication.
- Something you know: A password/PIN
- Something you have: A keycard or an authenticator on your phone
- Something you are: Biometrics.

I use KeePass and just sync the database file to my own Nextcloud server. Plus, the database has a REALLY long password. It's basically a long ass sentence that I have memorized. Online password managers kinda scare me.

Google has never signed me out on my pc, like ever. Aside from recently on youtube im getting a glitch where it says im logged out but I refresh my screen or click the login button I was never logged out

The number of times I've HAD to go back to Bank of America because whenever I try a small bank their security is run by IDIOTS.
"We made it so you can't copy and paste a password to be secure!" > I use a password manager to have passwords that are longer then the heat death of the sun.
"You can't have 2 repeating letters" > just WTF?
They say "it's for your security", except whoever they hired is insanely stupid.

12:16 Devils advocate: Adding 2FA to your account if you already have a Secret Key that functions as a 2FA of sorts just adds another hurdle you have to jump through when you forget your account password.

my teams just does updates while im in a Meeting... it just closes my meeting and says hey i did an update..
happened 2 or 3 times now...

I use teams at work and it has NEVER logged me out like that so IDK what's going on with you guys.

it's fine to store 2fa in password manager, just make sure that PM never get compromised and you can have 2fa for that PM on different platform and have 2fa password as separate password

The worst 2FA is using the dreaded 6 digit code. Screw Roblox, people keep getting hacked with 2FA. 2FA 6-digit email code is child's play. What is the chance it is brute forced? Why cant 2FA codes be a jgkst7932gjlahjh92hdjs instead of numbers?

It's probably not that great to store 2FA in a cloud based password manager. I accept it for an offline based one like KeePass (especially if it's on a hardware encrypted flash drive and/or 2FA'd with a hardware key) It's really up to the user's personal risk assessment but generally probably not the greatest idea.

The biggest issue I have with 2FA is not having options on how to 2FA. I often work in areas where I have internet access but not cell service. Many accounts require 2FA through sms only which renders those services completely unusable for me in many cases.
Also I could see an argument for using 2 separate managers, one for passwords and one for 2fa codes. Still secure but beats memorizing 150 different passwords and codes.

That is very interesting I only ever get logged out of Teams when it is time to assign my password again after half a year.

You have something misconfigured on your credential or Teams organization enterprise account settings. Teams doesn't auto-log you out, unless you set it up to do that or have a Windows credential issue. Try removing the Teams credentials from Windows credential manager in the control panel. If that doesn't work then it is your Microsoft enterprise account settings that is logining you out.

Rolling 2FA codes already rely on a static secret as well.

I worked for a bank and every single log in was switched to the Microsoft platform. it was such a problem that our non Microsoft apps that were used for transactions failed and wouldn't work properly until we were logged into our Microsoft account, and it would do the same shit and log you out randomly to then forcer its self to front of screen. this of course would always happen when working with a client in front of you or trying to perform a wire or really any time it felt like it. and our IT department was so inept it took 8 months for them to tell us that the problem is because we needed to log into outlook first before any of our other apps, which in my opinion is ridiculous we are a massive bank with over 10 billion in assets and yet we cant get our employees logged on? the fuck is that?

I think it can be a slippery slope. Why not store all your passwords in a plaintext file on your desktop? Because if they get control of your computer, you're already pwned right? Yes, if they get in, that's awful, but don't make it easy for them if they do!

The biggest problem is that it's impossible to buy a phone online when your phone is broken.

I think it makes sense if your password manager is more complex and linked to an account with a higher tech 2FA such as Google or Apple. They use your device, GPS, IP, etc in addition to just the 2FA to log in to those accounts to begin with

Crazy perspective... I'm a 10+ year Apple Mac user in the education, tech, and live entertainment realm who manages a Mac computer lab with somewhat continually updates devices (MBP, MBA, iMac, Pro, and Studio) but who has personally lived off an entirely fixed 2012 iMac and every-five-year-updated Android smartphones and a single Apple-managed biometric. The rest is Google Auth and 3rd part personal 2FA and work MFA (though mostly 2FA).

Since google authenticator now is cloud backup, besides yubikey is there any other 2fa timed one time rolling password that is stored locally/offline like an apk or sdk that can have on SDCard???

I just spent a week trying 5 password managers to switch away from a over priced one, all offer 2FA built in as a premium option, I work in security, this is a extremely bad ideal, most people reuse bad passwords, or postits on their monitors.. None of the password managers we tried didn't meet our requirements. 2FA needs to be outside of where you keep your passwords.

We haven't had any of these problems with Teams since upgrading to New Teams. It used to be terrible but we enjoy using it at the office now...which feels like whiplash even to us.

It's fine as long as you have the MFA to your password manager elsewhere, preferable using a hardware key.
In addition, what do you think is going to happen with Passkeys? It'll be "one password again" like you claim is an issue with storing 2fa in password managers.

Keepass doesn't touch the clipboard from what ive seen either by default. Also, I store my TOTP in my keepass but they are encrypted differently from my regular passwords.
So I've got one master password for everything other than TOTP and another for my TOTP.

As a tech support person who is asked to "just fix it" when it can mean logging in as the user and pinning a shortcut to their desktop, taskbar, start menu, or web browser bookmarks, 2FA is extremely frustrating to me, because I CANNOT log in outside of work hours to do my job unless the person whose problem I am fixing is sitting in front of their phone waiting for me to log in as them so they can tell me the code. God help me and them if someone steals their phone or they accidentally forget it on a plane or in a hotel room or drop it in a sewer grate.

For the past while Google has been logging me out every single time I close my browser. I didn't change any settings, and I'm not blocking cookies or anything. I just have Google sites boxed (segregated) to separate sessions, and some other minor stuff like user agent randomizer and stuff. I do also use script blockers and anti-fingerprinting and such, but a whole lot of it (nearly all of it) is disabled on sites like youtube (probably the only Google site that I use unless I'm visiting someone's Google Docs link)

Something is wrong, because I use Teams for work and it NEVER logs me out. Honestly, I've been working in my current role with a work provided laptop and I don't think I've EVER been logged out of Teams.
One way or another, there is a way around the issue you're talking about.

Authentication on computers is fundamentally broken at this point, and 2FA is just a band-aid on wound that keeps bleeding. We need something else.

i never had to log in back to teams in my workplace for years..

Honestly all this video did was make me realize I have an additional vulnerability by having my email password in the password manager instead of my head.

gmail on your computer has no idea if you're using full disk encryption or a screensaver or strong windows password, gmail on your phone is far more likely to know these things.. it's also a much safer assumption that people lock their phones whereas they mostly don't bother enabling bitlocker or filevault or a screen timeout

He was weirdly confidant that it wasn't safe given the number of password managers saying it is.

Teams auto logging out: Check your conditional access policies on your tenant, you may have a policy that controls session persistence. This will hard kill O365 app signins and Teams. Can put an exception in so the Teams app is excluded. Have seen this before. I suspect your IT team did something post incident from last year?
Also, with MFA, it's recommended now to only allow methods that are considered phishing methods, such as passwordless, FIDO2 keys etc. Email, SMS and passwords are not secure forms of MFA anymore.

"if they have your password vault, wouldn't they also have your 2FA?"
Of course not... That's literally the only reason we use two factors... I don't understand. If you can gain access using only one factor, whatever it is, then by definition you aren't using two factor authentication.

WHATS THE POINT OF A TWO FACTOR APP IF ITS JUST GOING TO ALLOW AN ATTACKER TO SMS IT

Makes sense to me that password managers offer 2FA. Something like iCloud Keychain for example would require someone to have access to your Apple ID Password, then have physical access to one of your Apple devices and be able to unlock it (so let's say passcode since they can't in theory face-off you or use your fingerprint). That feels like a fairly tall order

if someone has access to your PC they can just steal your private key for a lot of OTP generators/key-managers, with that they can just consistently generate your OTP

As far as I know the whole "Change your password every 3 months" and shit was proven to not only be inefective but even detrimental to security but many many many work places still use that system so.. you onow, it's less about being sefure and more about FEELING secure, I guess

My issue with forced password diversity and making you change it every month and so on was that it ALWAYS was going to end up with NOBODY BEING ABLE TO REMEMBER THEM, thus they put them ALL in a single password manager, now one single data breach and you lose ALL your accounts.
All of this was just a plot to make people give their phone numbers via 2FA

Microsofts logout is tied between all apps and per device. The compliancy setting is what is logging you out and if it is once every 7 days it will be down to the minute. Monday at 8:52am you logged in, you will be logged out at 8:52am the following Monday. Do not log back in till noon, the following week will be noon.

if an attacker is able to install software on your system or get an admin shell, 2FA does not matter, its game over

I’m assuming LMG is using Azure Active Directory or Hybrid but it might be a group policy signing you out. My users only need to reauthenticate when they change their passwords.

If sms shouldn't be a thing then plenty of people won't use 2FA.
I never understood why people think forcing security works. If its too inconvenient, people won't do it no matter how good it is for them.

nothing cant be hacked all security is is making the criminal go after you nebour with less security (to escape a bear just be faster then the slowest person)

2FA should be a separate app, perferably with the hardware key attached.
Password manager should be an offline storage with a backup copy.
Passwords should be long word chains, because they would be easier to remember and harder to break, because length add more complexity that 5-10 special characters.
Automated logoff should be abandoned as a practice. If it less than every day, it's useless. If it more frequent that once in a week - it's annoying. Most security practices which are more annoying than useful result in users looking for workaround and adopting even more risky behavior.

Can we talk about the fact that there is no way to passcode lock the Google Authenticator app... it's security relies on your phone's security, which we have at various times learned is not so great.

That's not a shortcut, that's dark summoning

if the 2FA code is in the PM aswell as the password, the convenience to have it filled in too is nice. Having the 2FA part of the PM tied to device solves the security issue completely.

I think it might differ depending on country? My GMail account is literally logged in on my desktop for around 8 Months in Switzerland.

I feel like 2FA is most relevant for people that reuse the same password over and over again. So storing it in a password manager is fine, because it means you have a password manager.

My schools garbage website will one up all of these. It will automatically log you out after about an hour of not being used, It has no option to stay logged in and to top it off we have to change our passwords every month.

I just noticed the the new dumb Windows rewind AI thingy will take screenshots of the 2FA QR codes. Essentially defeating 2FA immediately.

Roll on passwordless logins: Single-signon but uses your "other" device (e.g. biometrics on a phone) to authenticate with site-specific client certificates. No need for corporate SSO configurations.
2FA by your password manager sits between "no 2fa" and "2fa on a different device". This is relevant in places where you should have 2fa, but the person using it has no vested interest in it and can turn it off. Or it might be where an overzealous secadmin puts in 2fa where it isn't really required, and auto-logs you out every five minutes.

I once had ms teams log me out MID JOB INTERVIEW and apparently it never showed that i was put of the call because i got back in and it now showed two of me in the call and the guy was still answering my question until he noticed i suddenly multiplied like wat

Assuming TOTP, you use a 64- whatever bit string of characters to randomly generate a time-based one-time code, which means that one-time code is not easily attackable because you can't test and verify if you've created the correct string to generate the same responses. The question isn't about getting hold of your crypto vault. If they got your crypto vault, they got the rest of your device anyway. In that way, TOTP, the second factor still matters because people aren't brute forcing or stuffing or otherwise building an attack targeted at you, they're not phishing you. The second factor still prevents that.

You've got some sort of security setting thats doing that to Teams. We deploy it to clients all the time because its microsoft's product and most SMB dont care enough to try anything else. But the logging out issue is not something we get reports of ever outside the occasional issue. I also never get an issue with it on my work devices or any device that im logged into Teams on, so basic troubleshooting tells me there's something configured in your environment that's killing those tokens or something else.

"If they get access to your password do they not have your 2fa"
I mean yeah they do if you store your 2FA with your password. Instead you can store it locally on your phone and if someone compromises your master password they still can't get into any of your other accounts as long as you're 2fa is seperate. You also want to keep your email password separate since you use your email to reset any other password you forget.
Also in the keylogger scenario you could just hijack their already logged in session.

Using separate 2FA and password manager apps > putting 2FA in your PM app > not using 2FA at all.
It's not as secure, and if your PM gets compromised you lose it all, but if you know yourself well enough and say "I won't be bothered with 2FA if I need to reach for another app/my phone every time", it's better than not having 2FA at all.

Uplay always logs me out when it updates. I have my machine setup for only one user, me. Brave makes you now input your windows pin to see saved passwords.

Ms does not sign out on phones every 30 days, that is a setting you set up somewhere. We've been using office 365 since forever and never had issues with teams/outlook etc mobile apps just randomly signing out on a frequent basis.

the problem is my 2fa is on my phone, and my phone is linked to google, so if they get access to my google account, then so many things fall

DO NOT STEAL USER FOCUS
It's like 40 years of user experience is ignored by latest version of windows.