Vishnu's Pages

On Storing TOTP in Password Managers

After a recent conversation on Twitter, I discovered that many people store their TOTP (Time-based OTPs) alongside their passwords in password managers.

My argument is that this practice undermines the very essence of two-factor authentication (2FA) and is essentially "1FA" in disguise.

Here's a quick primer: There are three factors that can be used for authentication:

  1. Knowledge factor: something you know — a password, a PIN
  2. Possession factor: something you have — a phone, a hardware token
  3. Inherence factor: something you are — fingerprints, facial recognition

True 2FA uses any two of these three factors to authenticate the user — and crucially, they must be two different factors.

Think of it this way: if you have two different keys that must be used together to open a locker, would you store them in the same box? No, if someone gets that box, they have both keys and can open the locker. The same logic applies to 2FA.

When you store both your password and TOTP in the same password manager, you're essentially putting both keys in one box. If someone compromises your password manager, they gain access to both your password and your TOTP, effectively reducing your security to a single factor.

But what about password managers on phones that also generate TOTP?

In this scenario, both the password and TOTP are accessible through a single device — your phone. This is better than storing everything in one app, but to strengthen security, enable biometric authentication (Face ID, fingerprint) or a device lock (pattern, PIN) for your password manager. Also enable the setting to automatically lock the app after brief periods of inactivity.

My recommendations:

The goal is to ensure that compromising one factor doesn't automatically compromise the other.