[zaptheimpaler]

> Doesn't that dilute the value of MFA and essentially make it SFA? If someone compromises your 1Password app or password, then they get both factors of authentication.

Yep, that's the point. I have been using the internet for 20 years now and have somehow managed to not get hacked by using unique passwords, not clicking on porn pop ups or falling for phishing attacks and updating my OS occasionally. I take a risk every time I drive a car or drink alcohol or even walk around my neighborhood. We can't bubble wrap the entire world and make risk disappear. So i like SFA because its convenient, even if it may be marginally more risky. I literally cannot imagine a solution with 0 risk, and its foolish to keep moving to new security "best-practices" trying to pretend one exists.

[nicoburns]

The risk of course being that if your password manager gets hacked then they get the keys to everything. I've been wondering about whether it might make sense to use two separate password managers: one for password, one for TOTP. It's almost as convenient, and it's extremely unlikely that an attacker can compromise both independent password managers at once.