[orev]

A TOTP code must be marked as “used” immediately after processing it, so an attacker using a keylogger would have only a few seconds at most to use the code, assuming the user typed the code from the password manager instead of copy/paste.

The protection offered for TOTP in a password manager is from people who reuse the same password on multiple sites and some other site gets hacked. In that case, the attacker would not be able to login, regardless of having the password.

Also, once a system is so thoroughly compromised that the attacker can install a key logger or dump a password database, that system and all the user accounts are already completely compromised.

TOTP at this point is essentially a forced password that changes every 30 seconds instead of an actual additional factor, however in many cases that’s good enough.

[jiveturkey]

you missed the attack. a keylogger doesn’t capture the TOTP (and fully synchronous 0-reuse TOTP isn’t possible on global scale, instead you catch it in audit) a keylogger captures the master password to the pwm that stores the TOTP secret.

[r00fus]

But then they have to have physical access to your pwm or an export of it. If it's cloud-based, I'd have to assume there's some additional auth done for non-approved devices, or it's a bad cloud pwm.