Two-factor authentication only works if the factors are separate

I love seeing people enable 2FA. It is one of those small security moves that instantly raises your baseline.

But I have noticed a pattern that quietly cancels out most of the benefit:

People set up 2FA (great), and then store the 2FA codes in the same password manager as the password (less great).

That defeats the whole point of the “second factor”.

2FA exists to protect you on the day your password leaks. And passwords leak all the time: data breaches, phishing, reused passwords, malware. If an attacker gets your password, 2FA should still stop them because they do not have the second factor.

The keyword here is separation.

The convenience trap: when “two factors” become one

A password manager is an amazing tool. Use one. I do too.

But if your password manager contains:

• your passwords
• and your 2FA secrets (or your backup codes)

…then your “two factors” effectively become one.

If the password manager is compromised, the attacker gets everything needed to log in.

And yes, that can happen in a few very realistic ways:

• Your master password gets phished.
• Your device is compromised while the vault is unlocked.
• You get tricked into approving a malicious login to the password manager itself.
• A session token is stolen.
• You accidentally share the wrong vault item.

I am not saying “never store anything sensitive in a password manager”. I am saying: do not turn it into a single point of failure for your entire digital life.

A question worth asking:

“If my password manager is the one thing that fails, how bad is the blast radius?”

If the answer is “total account takeover across email, cloud, social, work tools, banking”, it is time to reduce that blast radius.

My decision: I split my 2FA out, and moved to Ente Auth

This is the practical change I made: I stopped keeping my 2FA seeds in my password manager, and moved my 2FA codes to Ente Auth.

Why Ente Auth specifically?

• It is open source.
• It offers end-to-end encrypted backups and sync across devices.
• It is cross-platform (mobile, desktop, web).
• You can use it offline if you want.
• The Ente team states Ente Auth is free and will remain free forever.

The big win for me is not “this app is perfect”. The big win is restoring the security model 2FA was designed for: separation.

If my password manager ever becomes my worst day, my authenticator is not automatically taken down with it.

What I recommend

1) Split passwords and 2FA

• Keep passwords in your password manager.
• Keep TOTP codes in a separate authenticator app on your phone (and/or a different device).

This alone reduces your blast radius dramatically.

2) Use passkeys where you can

Passkeys are a meaningful upgrade: phishing-resistant, no codes to type, and harder to steal than passwords (especially if you protect your device well). When a service supports passkeys, enable them and actually test them.

3) Add a hardware security key for your most critical accounts

If you do one “extra” thing this year, make it this, for accounts like:

• email
• your password manager account
• work admin panels
• cloud providers

Hardware keys are annoyingly effective.

Migration notes: do this carefully

A quick safety checklist if you are moving authenticators:

• Export or migrate one account at a time.
• Confirm the new codes work before disabling the old setup.
• Store recovery codes separately (not in the same place as your passwords).
• Test your “lost phone” plan: Can you regain access without panic?

(And if you rely on cloud sync for your authenticator, make sure you understand how backups and account recovery work.)

The point of 2FA is not “more steps”, it is less risk

My advice stays simple:

Do not store the password and the second factor in the same place. Because then it is not really 2FA. It is just “2 things in 1 basket”.

Curious: do you store your 2FA codes in the same place as your passwords, or did you split them already?

Original LinkedIn post.

Share on Mastodon