1Password TOTP Alternative - Keep MFA Codes Separate
Should you store TOTP codes in 1Password? Here is why a dedicated MFA app preserves factor independence - and how FactorCat compares to storing 2FA codes in 1Password.
1Password is excellent for passwords
1Password is one of the best password managers available. It is well-designed, well-audited, and trusted by millions. It also supports storing TOTP tokens alongside your passwords. Many people do this because it is convenient.
We think this is a mistake.
The case against combining passwords and MFA
The entire point of multi-factor authentication is that the factors are independent. "Something you know" (password) and "something you have" (TOTP token) are supposed to be in different places. If your password manager stores both, a single breach compromises both factors simultaneously.
- One vault, one breach. If someone gets into your 1Password vault, through a compromised master password, a device exploit, or a social engineering attack, they have your passwords and your TOTP codes. There is no second line of defense.
- Phishing resistance drops. A phishing page that captures your 1Password autofill gets both the password and the TOTP code in the same action. Separate factors mean a phishing attack has to compromise two different systems.
- Regulatory frameworks agree. NIST guidelines specify that authentication factors should be independent. Combining them in one application arguably fails this requirement.
For the full argument, including what NIST actually says and how push approval changes the equation, read Why Your Password Manager Should Not Hold Your MFA Codes.
FactorCat vs 1Password: side-by-side
| FactorCat | 1Password | |
|---|---|---|
| Purpose | MFA only - never stores passwords | Passwords + MFA combined |
| Factor independence | Yes - factors are in a separate app | No - same vault as passwords |
| Browser auto-fill | MFA codes auto-fill via push approve | MFA codes auto-fill with passwords |
| Push notifications | Yes - one-tap phone approval | No - codes generated in the app |
| Zero-trust mode | Locked Vault (free) | Not applicable (different model) |
| Token sharing | Yes - share individual factors | Yes - via shared vaults |
| Price | Free (50 factors) / Pro $24/yr | $36/yr individual / $60/yr family |
Where 1Password is better
- One app for everything. If convenience is your top priority and you accept the tradeoff, 1Password is hard to beat. One unlock, passwords and codes together.
- Password management. 1Password is a full password manager. FactorCat is not and will never be. You need a password manager either way.
- Family sharing. 1Password's family plan is well-designed for sharing passwords and other secrets across a household.
Where FactorCat is better
- Factor independence. Your MFA tokens are in a separate app, on a separate device, behind a separate approval step. A breach of one does not compromise the other.
- Push-to-approve. Instead of opening an app and finding a code, your phone buzzes and you tap approve. Faster and more intentional.
- Free tier. FactorCat is free for 50 factors. 1Password starts at $36/year for any usage.
The best setup
Use 1Password for passwords. Use FactorCat for MFA. They complement each other perfectly. Your passwords live in one app, your second factor lives in another, and neither can compromise the other.
Frequently asked questions
- Should I store TOTP codes in 1Password?
1Password supports storing TOTP secrets alongside passwords. It is convenient, and 1Password is a strong, well-audited app. The trade-off is that a single breach of your 1Password vault compromises both factors at once. Multi-factor authentication is designed to keep "something you know" and "something you have" in different places. Storing both in one vault collapses that separation.
- What is the difference between FactorCat and 1Password?
1Password is a password manager that also stores TOTP codes. FactorCat is dedicated to MFA: it stores TOTP secrets, generates codes, and adds browser auto-fill via push-to-approve from your phone. The two are complementary - 1Password for passwords, FactorCat for the second factor. Keeping them separate preserves real factor independence.
- Do I still need a password manager?
Yes. FactorCat is not a password manager and never will be. You still need 1Password, Bitwarden, or another password manager for storing passwords. FactorCat handles the MFA layer that sits on top.
- Does NIST recommend separating MFA from passwords?
NIST SP 800-63B specifies that authentication factors should be independent and that a breach of one should not compromise another. Combining password and TOTP storage in a single application creates a single point of compromise. Read more in our explainer, Why Your Password Manager Should Not Hold Your MFA Codes.
- Is FactorCat cheaper than 1Password?
FactorCat is free for up to 50 factors, with Pro at $24/year. 1Password starts at $36/year. If you only need MFA storage and use a free password manager (Bitwarden, browser-built-in), FactorCat lets you keep the factor separation without paying for 1Password.
Ready to switch?
Get FactorCat free. Available on iOS, Android, Chrome, and the web.