[arachnids]

Parent's argument is that it mitigates phishing - i.e your normal workflow is you go to a site and your credentials are automatically filled in, so you'd be suspicious if that doesn't happen. In my experience, the autofill breaks so much that I've started copying my password in manually all the time.

[toasterlovin]

> In my experience, the autofill breaks so much that I've started copying my password in manually all the time.

FWIW, this has not been my experience with 1Password at all.

[mason55]

I use LastPass but have had the same experience - autofill is very, very reliable

[closeparen]

The TOTP code does not add anything to phishing mitigation.

[Fnoord]

Depends on the exact attack. If its a full MITM (including TLS), no. If its a fake website who don't forward after password-based authentication, yes. U2F would also detect the domain is incorrect, though so does my password manager. Though that's based on a browser extension. I suppose if the browser gets mislead, as would the password manager. And that did happen with LastPass (XSS attack IIRC).