[stavros]

Yes, I know all that, and that's fine. I'm not looking to solve the problem of authenticating so I can launch nukes, I just want people to not steal my Twitter account.

A random thief stealing my laptop would have to:

1) Bother

2) Break my hard disk encryption/know the password

3) Break my password manager encryption/know the password

I think that's hard enough for someone wanting to get into my email. I use a separate hardware key to secure my domains, and that's about it.

[necovek]

That's fine, the only question is why use 2FA at all?

What's the attack vector you are protecting against that a good, non-reused password is not covering?

[stavros]

Keyloggers, stolen password databases, MITM, shoulder surfers, interception.

[necovek]

Yeah, that makes sense: I brought up stolen password hashes, but I generally disregard keyloggers/MITM/interception because I usually use trusted devices and network encryption (HTTPS), but not all sites do, and I can see how people might be forced to use untrusted devices.

Still, when you've got access to your password manager (to get your password and TOTP token too), you've got access to a trusted device too.

And there is still an option for anyone (including shoulder surfers) to type in your password+token a bit faster than you so they get in: nobody bats an eyelid for getting reprompted for another TOTP token.

You are also vulnerable to someone stealing your password manager password in this manner, especially with a cloud one (which is what most businesses require).

As a conclusion, it does grant you some extra protection against using password only, but when on a separate device, it's really another dimension.