If it's magic link or multi-factor authentication, I know which one I prefer. Try explaining to an MFA-loving service that your phone is out of action while it's being repaired.
1password and Lastpass both manage MFA codes and work cross-device. If your phone is your only way to get into MFA protected accounts, you're doing it wrong. What happens if you can't repair your phone?
I used to think this but I don’t agree any more. A factor is a factor: your service password + your password manager password = 2 factors. Yes, if someone compromises your password manager then you’re in a bad position but that’s not what service-level multi-factor authentication protects against.
> that’s not what service-level multi-factor authentication protects against
I don't understand your point. This is exactly what multi-factor authentication protects against if you don't store your MFA codes in your password manager.
A password may be compromised via other routes than just through a password manager hijack, which is probably far down the probability scale of all of the possible ways to do so
Except you're still protected whenever a website gets breached and all their passwords are dumped. Sure it's still a single point of failure but at least it's with a company dedicated to password security.
standard TOTP MFA (which is what most password managers would offer in terms of MFA) uses a shared secret, which you would just dump from the same database you get the dumped passwords from.
unless you use asymmetric crypto e.g. in webauthn this doesn't benefit you at all.
Except that the seed for the TOTP is unique to each website, because the website generates it, as opposed to an user-supplied password that might get reused across website. The impact is limited to the already compromised website, which is pretty darn good.
This is why you need to start with a threat model. For example, if your concern is password reuse or weak passwords simply using a password manager to have unique per-site passwords solves that problem for almost anyone.
If your concern is phishing, storing the code on the device (especially on a modern phone) is really moot since all forms of one-time codes are vulnerable — you should be working on how to switch to FIDO2/WebAuthn.
If your concern is a temporary exploit of the user's browser, using an out-of-process password manager is likely to prevent exfiltration of the entire password list but in practice this is already probably a disaster scenario unless you're using sites which require a strong FIDO2 challenge for sensitive operations since the attacker already has your cookies for everything you use regularly.
The idea is that you protect your password vault with 2FA and a strong password.
It slightly raises the risk in the scenario where your password vault gets hacked, but like with putting all your passwords in the same place, if you've only got 1 place to protect it becomes easier to protect it more thoroughly.
Microsoft thinks it is fine for most user's threat models because these use two stacked layers of encryption: your Microsoft account and either Apple's cloud backup encryptions or Google's. To move these codes between devices you have to login in both your Microsoft account and also your Apple or Google account in quick succession. I know on Apple devices it works in the same (iCloud) backup layer that disables other device keys so doing this on a new device will "break" access on the previous device (only one device at a time has access). (I'm not sure about Google's ecosystem.) You can't easily switch ecosystems with this. Microsoft seems to think it unlikely enough that both your Microsoft account and your device ecosystem account will be compromised at the same time that there is enough security in this depth.
1. Use my Yubikey with a different phone via NFC or a different computer using USB
2. Login using my other iPhone or Mac because the WebAuthn passkey is synced via iCloud (this is in the progress of coming to Chrome & Windows)
The nice thing is that all of those are more convenient than using email in addition to being more secure.