I use pass for my password manager which links to my yubikey that has my gpg key on it. My yubikey has touch enabled which means that even if someone got access to my machine with my yubikey on it and asked me to tap they would only get that single password. As far as TOTP is concerned it's the same thing. The TOTP section of my yubikey has it's password and also requires a tap