Yes and no. There's two advantages to TOTP 2FA: The 'second factor', and the 'one-time password'.
The one-time password advantage still exists if you use a password manager, and I'd argue it's the main advantage. It greatly increases the effort required to successfully hijack a login flow. It prevents account takeover via password reuse / leak. It does not help if the OTP seed leaks as well but it's still a lot more secure.
Download Google Authenticator for Android now from Softonic: 100% safe and virus free. More than 2727 downloads this month. Download Google Authentica. I used Google Authenticator to generate one-time codes for every time I logged into my 1Password account. I’m happy that 1Password has a two-factor authentication option, but it would be great if they included more advanced options, like Keeper’s biometric and smartwatch 2FA options. Staying safe online is a habit that needs to be nurtured, and using a password manager is the simplest way to upgrade your online account security. 1Password Families and 1Password Business work with the YubiKey to deliver strong password management to both personal users and organizations of all sizes.
Now on second factors: What is it? If a password is something you know, a second factor is something you either have or are.
The wikipedia page on MFA (https://en.wikipedia.org/wiki/Multi-factor_authentication) gives a good summary of the philosophy behind it but concretely, the separation between a phone's encrypted 2FA database and your local password manager's encrypted database is not that large. They will likely be on the same network (the 2FA device is unlikely to be airgapped); they will likely have the same owner; etc.
Unless your threat model is 'people are already on my machine and have access to my RAM, or my files AND system-level keystrokes' (in which case I'd argue you're already beyond fucked), then a password manager won't be any less of a second factor than a phone authenticator. Either will be less secure than a hardware key.
Risk does greatly increase if you're using a browser extension as the threat level becomes the browser's sandbox. But security is also about convenience, otherwise you'll find people sharing a taped hardware token with its pin written on a post-it note next to it and call it compliant.
We’ve added a new feature to improve the security of your .gov registrar account: 2-step verification.
What is 2-step verification?
A password is all that protects your account right now, and passwords can be easier to obtain than you might think.
2-step verification adds another step to the login process. After you enter your password, you’ll be asked for a passcode from your mobile device. This raises the stakes for someone who wants to get into your account because now they have to get your password and your phone.
Why is this change happening?
Though you might only change your .gov domain or account information infrequently, someone with your password could sign in at any time and make changes. This extra layer of security makes it harder for someone to log in as you, which protects the services you make available to the public via a .gov domain.
What does this change mean for me?
You will need to add 2-step verification to your account at https://domains.dotgov.gov. The feature will be rolling out gradually following the schedule below. Please note:
- The first date is the initial time you can add 2-step verification to your account.
- Between the two dates, if you’re not ready to add 2-step verification, you’ll be able to select “Remind me later”.
- The second date is the enforcement date. On this date and after, you must enable 2-step verification on your account to manage your domain.
Rollout schedule
- GSA-owned domains: October 1 - 31
- Federal Agency: February 4, 2019
- Native Sovereign Nation: October 8 - November 7
- County: October 22 - November 21
- State/Local Govt: November 5 - December 5
- City: Done in phases, based on the first letter of your username:
- A - D: November 19 - December 19
- E - J: December 5 - January 9, 2019
- K - P: December 17 - January 23, 2019
- Q - Z: January 14, 2019 - February 13, 2019
How do I set up 2-step verification?
In order to set up 2-step verification, you will need to use an authentication app to generate security codes. DotGov will only provide customer support for Google Authenticator, but any application that implements the time-based one-time password (TOTP) standard will also work.
Here’s how to set up 2-step verification with Google Authenticator:
- Download the Google Authenticator app (Android, iOS) on your mobile device. (Note that your organization might have rules about whether this app should be installed on your personal or your work device.)
- On your computer, log in to the .gov registrar at https://domains.dotgov.gov.
- Once logged in, click onAccount in the left navigation, then selectSetup 2-step Verification.
- Open the Authenticator app on your device and selectBegin Setup (or ‘+’ if you’ve used the app before), then tapScan Barcode, and point your device’s camera at the the QR code on the screen. You should see an entry for the .gov Registrar added in Authenticator.
- Type the six-digit code displayed on your device in the One time password field.
Your account now has 2-step verification enabled! From now on, after you log in with your password, you will need to enter the six-digit code from your authentication app.
FAQ
Who does this change affect?
All user accounts will be required to use 2-step verification. If any of your domain points of contact (POC) are unable to use an authentication app, you will need to assign a new point of contact.
What is an authentication app?
Authentication apps generate security codes for signing in to sites that require a high level of security. You can use these apps to get security codes even if you don’t have an internet connection or mobile service. A mobile phone app is the typical example of an authentication app, but other forms exist, including applications for desktops, browser extensions, and physical hardware.
Any application that implements the time-based one-time password (TOTP) standard and can use a QR code or accept a manually entered key will also work. DotGov will only provide customer support for Google Authenticator mobile applications.
After installing and configuring the application to work with the registrar, you will be able to receive security codes for your account. Some options for authentication apps include:
- Android options: Google Authenticator, 1Password, Authy, LastPass
- iOS options: Google Authenticator, 1Password, Authy, LastPass
- macOS apps: 1Password, OTP Manager
- Windows apps: 1Password, OTP Manager
- Chrome extensions: Authenticator
- TOTP hardware: Protectimus Slim mini, Token2 miniOTP-1
Is there a cost for an authentication app?
Google Authenticator is free to download, and is the only application that DotGov will field customer support for. Other apps may have a cost.
I do not have a smartphone. What other options do I have?
All users are required to use 2-step verification. If you are unable to use a smartphone, you should explore other authentication app options available, but note that we will only field customer support for Google Authenticator.
Do authentication apps need an internet connection to function?
No. An internet connection is required to download an app (like Google Authenticator), but using it does not require an active connection.
I have a new phone. How do I switch devices?
If you have the old phone, log in to your account, click on ‘Account’, then select ‘Update 2-step verification.’
If you’re updating 2-step verification to a new device and you have access to the old one, consider deleting the old device’s “.gov Registrar” entry so you aren’t confused in the future.
I’ve lost my phone! How do get back into my account?
1password As Authenticator
If you are unable to access your device, you should contact the .gov Help Desk.
Use 1password As Authenticator App
I have a question that isn’t listed. Who should I contact?
1password As Authenticator Google
Contact the .gov Help Desk for additional support.