1password and Lastpass both manage MFA codes and work cross-device. If your phone is your only way to get into MFA protected accounts, you're doing it wrong. What happens if you can't repair your phone?
I used to think this but I don’t agree any more. A factor is a factor: your service password + your password manager password = 2 factors. Yes, if someone compromises your password manager then you’re in a bad position but that’s not what service-level multi-factor authentication protects against.
> that’s not what service-level multi-factor authentication protects against
I don't understand your point. This is exactly what multi-factor authentication protects against if you don't store your MFA codes in your password manager.
A password may be compromised via other routes than just through a password manager hijack, which is probably far down the probability scale of all of the possible ways to do so
Except you're still protected whenever a website gets breached and all their passwords are dumped. Sure it's still a single point of failure but at least it's with a company dedicated to password security.
standard TOTP MFA (which is what most password managers would offer in terms of MFA) uses a shared secret, which you would just dump from the same database you get the dumped passwords from.
unless you use asymmetric crypto e.g. in webauthn this doesn't benefit you at all.
Except that the seed for the TOTP is unique to each website, because the website generates it, as opposed to an user-supplied password that might get reused across website. The impact is limited to the already compromised website, which is pretty darn good.
This is why you need to start with a threat model. For example, if your concern is password reuse or weak passwords simply using a password manager to have unique per-site passwords solves that problem for almost anyone.
If your concern is phishing, storing the code on the device (especially on a modern phone) is really moot since all forms of one-time codes are vulnerable — you should be working on how to switch to FIDO2/WebAuthn.
If your concern is a temporary exploit of the user's browser, using an out-of-process password manager is likely to prevent exfiltration of the entire password list but in practice this is already probably a disaster scenario unless you're using sites which require a strong FIDO2 challenge for sensitive operations since the attacker already has your cookies for everything you use regularly.