Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Tip: Password Managers and 2FA - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Tip: Password Managers and 2FA

I guess many of you use a password manager.

I do too. And several credentials stored in my password manager also have 2FA, typically based on an algorithm that has to be seeded with a secret key (like the one used by Google Authenticator).

Whenever I have to create a new account with 2FA, I will store the 2FA key in my password manager along with the password for that account. And if the key is presented as a QR code (it often is), I will save that QR image temporarily to disk and include that file in my password manager.

This way, if I lose my device for 2FA authentication (e.g. smartphone), I can get a new device and start again with a fresh 2FA app install.

If you don't like the idea of storing your password together with your 2FA key: use 2 different password managers, one for your passwords and one for your 2FA keys. And use 2 different master passwords :-)


Didier Stevens
Senior handler
Microsoft MVP


639 Posts
ISC Handler
Nov 1st 2019
Some TOTP applications are already able to back up TOTP seeds to their cloud storage. E.g. Authy (keeping TOTP separate) and BitWarden both offer this service for free.

Sign Up for Free or Log In to start participating in the conversation!