[dgrove]

Google Authenticator does not help prevent against a compromised device (as all TOTP secrets and seeds are on device) and is truly a pain when working with multiple phones. Personally I use Yubico Authenticator as all the TOTPs live on my Yubikey. That, in combination with a password then clicking on a totp i want and tapping my yubikey provides me with only that code. When I first seed the yubikey with a new TOTP i also backup a copy of the QR code text and save it into my password manager in the unfortunate event of having to swap out yubikeys.

[graeme]

Doesn't this mean your password manager is still single factor? Access that, access everything. That's the problem I was trying to avoid.

[dgrove]

I use pass for my password manager which links to my yubikey that has my gpg key on it. My yubikey has touch enabled which means that even if someone got access to my machine with my yubikey on it and asked me to tap they would only get that single password. As far as TOTP is concerned it's the same thing. The TOTP section of my yubikey has it's password and also requires a tap