[nicoburns]

I think I'm saying:

1. The case in which 2FA is really key is when you have short password (or worse, a reused password). That leaves you open to bruteforce attacks, and attacks where your email/password combination that was leaked from one service is reused to gain access to another service. But this is generally much less of an issue with a password manager where you are likely using a long random password that is unique per service.

2. 2FA is still an extra layer on top of this, but perhaps isn't super necessary for a lot of less critical services. The chances of your password being compromised are pretty small.

3. Particularly with SMS 2FA, there may be attacks which are present for that that are not present for password-manager based TOTP. For example, attackers may be able to read SMS messages off a phone's lock screen without unlocking the phone. So it's not obvious that this is strictly worse than other options.

4. I think the ideal (aside from U2F tokens) is probably 2 separate password managers, syncing to different clouds (if syncing): a first factor one and second factor one. If one is being really picky: then on separate devices. But this seems like it's probably overkill in most circumstances. Perhaps it makes sense to do something like this for a few key accounts (email, etc), but not everything?