[jen729w]

Or you upgrade your phone, or wipe your phone for some reason, and forget that your OTP codes don't transfer over.

This is one reason I love OTP codes stored in 1Password. That was until I read a post here which convinced me that this approach is a total waste of time as I no longer truly have '2FA'. I have 1FA, and that is 1Password.

[eaguyhn]

You could use Yubikey with Yubico Authenticator - the secret key is stored in the Yubikey. I did this because phone upgrades were a PITA, as you alluded. If you wanted you could have two Yubikeys (I have my second one in a safe deposit box).

[lixtra]

Having 2FA in 1Password is still strictly stronger than 1FA. The a leaked OTP token stays valid for about 60 seconds. Your leaked password may never change.

[akerl_]

What is the threat model where an attacker gains access to your 1password vault in a way that gives them only a single OTP code and your password, and not the underlying symmetric TOTP key?

[lixtra]

- using your password on a compromised desktop

- attacker looking over your shoulder as you enter your password

- Company mitm breaks open ssl encryption and reveals your password.

Obviously, if someone breaks into your 1Password it’s game over.

[akerl_]

All of these aren’t related to your 1password vault. They all occur even if you’re using your phone as a totp device.

[labawi]

I think the point wasn't that 1password TOTP is more secure than separate TOTP device, probably even less secure than typical alternatives, but it is present, convenient, automatically backed up and safer than just a password.

[tialaramex]

Terminology clarification: The seed driving TOTP is a shared secret but NOT a symmetric key.