| I'm going off the assumption that you mean storing your password and TOTP secret in the same app. Personally, I think storing your password and TOTP secret is worthwhile, but it ultimately depends on your threat model. If your threat model is someone walking up to your unlocked desktop and unlocked password manager, then it's not very effective. That being said, I believe a determined enough attacker will always win -- just be more annoying to pwn than others and you will sift out the majority of attackers, imo. But, if your threat model is that a website you use suffers a data breach and your username/password hashes are stolen, you have an extra line of defense with that second factor. This pretty much happens or will happen to everyone with online accounts at some point. So my long-winded answer is that I do still consider it two factor auth, and I do think it's worthwhile -- but all effective security should be layered with extra defenses when possible. EDIT: fixed some grammar, added some extra context. |
The risk with same-device (or same-manager TOTP) isn't necessarily in a physical adversary (who's going to win anyways), but in a digital adversary who can run code (or read files) on one device but not several. That's one of the main reasons users are encouraged to use physical factors or, lacking that, an on-device factor that requires some kind of OS-mediated privileged interaction.