[tashbarg]

So ... your solution is no tfa?

Putting second factor material in password managers is terrible advice. For reasons unknown to me, it might be the right solution for you. But in general, it defeats the two factor authentication purpose if you reduce the factors again to knowledge alone.

The whole point of tfa is, that the second factor is something you possess and not something you know (which is the first factor).

[ydant]

There are multiple attack vectors that 2-factor helps with, and storing your 2-factor alongside your password does still help in some, just not all.

For the more common attacks I expect to encounter, namely a single password being leaked, a password manager is still based on something I "possess" (to an extent) - the decrypted password vault. It's separate from the single password that's likely to have been compromised in the most common scenario.

Of course, if my whole vault is compromised, then yes, storing my 2-factor in there made my life worse than the alternative. I just don't see that as anywhere near as likely a scenario as an individual account being compromised. Having 2-factor enabled in a less secure method is still better than not having 2-factor enabled at all.

Basically, there's nuance to this, it's not the extreme you present - a more in-depth comment on this: https://security.stackexchange.com/questions/150448/is-it-se...

[wordyskeleton]

You're assuming a compromised password == compromised 1Password vault which is clearly not going to be the case most of the time