If your password is compromised they still don't have access to your OTP, so 2 factor. If your password manager is compromised then they have both, 1 factor.
I'm no math wiz but pretty sure that makes it a 1.5 factor
Right, presumably with a password manager you’re using a totally random string as your password too, coupled with different passwords for each site. so there are a combination of factors that make it still much more secure than just “both factors in one place” since neither factors can easily be guessed.
The main threat vector would be, as you mentioned, compromise of the actual password manager.
As far as I can tell, 1Password’s end to end encrypted architecture makes this less probable.
That would reduce the main risks to our actual devices.
TOTP MFA is crap anyway because it has no passcode and it is so trivial to sync and it’s common for people to do so. So in scenarios where people close to you are a risk, or you’re dealing with other peoples data, it’s pretty weak control. It’s great for preventing spray attacks and mitigating some compromise scenarios.
It’s likely members of your household, friends, coworkers have access to shared devices or shared vaults in 1Password. That makes that type of MFA more like 1.5 factor vs 2 factor.
1Pasword is itself a two factor app. The password is something you know and the secret key is something you have. Definitely counter-intuitive, but like how your operating system can contain both your password and your 2FA app, or your desk can contain your computer and your hardware key.
Whether you want to be one bad front-end UI deployment away from both factors being exposed, fair question...
This is AKA "one factor", right?