- Selectively require an extra MFA/2FA step for viewing and copying secrets from an unlocked password manager.
I would like to keep my accounts in a central location with my tokens, but require one of my configured (Duo, Yubikey, ie a TOTP on a separate device/service) MFA/2FA methods to access secrets of an already unlocked password manager.
Using BW to store TOTP codes and passwords is great, obviously, it’s a password manager. However, info stealer malware are focusing on stealing credentials from password manager extensions more and more.
When using a password manager, the convenience of storing username, password, and now more commonly a TOTP code is convenient. However, a security versus convenience shift is happening away from security. Having an unlocked password manager is becoming a risk and using a master password to continually unlock is annoying if not a risk. I’d rather not move all my TOTP tokens to Microsoft Authenticator or Google Auth to mitigate my concerns of losing 2FA/MFA on my stored account secrets.
It would be nice to utilize a master password sparingly and for important changes, then utilize a configured account MFA/2FA regularly for secrets or TOTP tokens before the token can be accessed on the password manager. If these tokens are sniffed they are short lived and not as easily replay-able.
If malware attacks on password managers becomes more common, utilizing a store of TOTP tokens is less and less safe.