Open Source

44702 readers

193 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Posts must be relevant to the open source ideology
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 6 years ago

MODERATORS

Cloak@lemmy.ml

kevincox@lemmy.ml

CrypticCoffee@lemmy.ml

Lettuceeatlettuce@lemmy.ml

Dedicated Authenticators from Password Manager vendors (sh.itjust.works)

submitted 2 years ago by brrt@sh.itjust.works to c/opensource@lemmy.ml

15 comments fedilink hide all child comments

Does anyone know why there are no dedicated Authenticator apps made by for example Proton or Bitwarden?

I’m aware that they have TOTP baked into their password managers but you still need to have at least one separate solution to log into your vault.

you are viewing a single comment's thread
view the rest of the comments

[–] GravitySpoiled@lemmy.ml -1 points 2 years ago* (last edited 2 years ago) (1 children)

No. If anyone has access to your email or master password, they can simply reset any other account. How would your difficult (one time used) password of protonmail be leaked? Proton doesn't have it. Only if you've got powerful malware on your device and then it doesn't matter in which app your shit is stored.

[+] voracitude@lemmy.world 6 points 2 years ago* (last edited 2 days ago) (1 children)

[deleted]

[–] helpImTrappedOnline@lemmy.world 3 points 2 years ago* (last edited 2 years ago)

I think they are suggesting the abality to reset 2fa for a service if they have access to your email.

Let's say your database contains your email service, and bank account without 2fa. Let's also assume they got acess to your email through a sham site that had you type credentials in and 2fa.

Hacker gets database.

They can login into your email and use the recovery code the bank send to your email for "lost my 2fa". (And delete the mail notifications as they come in, hopefully before you catch on)

A bank (should) have additional steps such as phone number, or a real recovery key you were supposed to write down, but a random online store or entertainment site will probably will just reset the 2fa and the hacker can go from there.

Realsisticlly we should be using at least 3 password database files with different master passwords for better security.

Account logins and passwords
TOTP
Any 2fa recovery keys.

However in practice, that is a pain in the ass and if someome has taken the time to breach your 1 specific database instead of going after easier targets, they probably have all your databases.