[cstuder]

Is it still two-factor-authentication if you're keeping your passwords and your one-time-password-generator in the same application?

[pfandrade]

We thought about calling it two-step-authentication. But most people know it by two-factor (and that's what most sites call it also).

And you can always have the OTP generator on your iOS device without the accompanying password to be technically accurate with the lingo.

[nixgeek]

Feels a bit like MPLS being Layer 2 and Layer 3.

I think it protects you against someone who's capable of sniffing your password on the wire somehow, since every login will require a unique code, and the secret is not transmitted, but you lose the benefit of "knowledge" (password) and "possession" (device, generating TOTP) being separate?

Whether you care about this depends on your threat model. If you're solving for "What if my Secrets vault is stolen by a bad actor and they're able to decrypt it?" then clearly physical possession being separate would be important.