[bubblethink]

I didn't understand the point your are making. I'm referring to the overall attack surface area of apps like 1password (which I think also have browser extensions ?). TOTP is better than sms, but why put it in the same app as your password ?

[ggm]

You have to ask yourself what's the primary threat. Yes,the point in strong sense of a second factor is a fully independent test. But the actual threat it mostly protects against is credentials threats. Not loss of devices or compromise of a keystore. SMS as second factor is way way worse because of the porting problem. Otp inside 1password is a compromise but it protects against the primary threat.

If you crypt your disk and use a good passphrase or a long pin and passphrase on a phone you are not that badly exposed.