[cjcampbell]

It’s not my preferred method because I want 2FA to save me if my device is compromised, but it does still add protection against traditional password attacks, credential stuffing, etc. It even adds a layer of phishing resistance, as long as the user doesn’t blindly jump to copy/paste when autofill fails.

[flangola7]

What is the phishing resistance it adds? Bitwarden auto copies TOTP to the clipboard.

[cjcampbell]

Depends on the password manager. 1Password will not autofill if the domain doesn’t match. It’s up to the user at that point to check the url before copy/pasting the code. My guess is that the average user would do that by reflex without a second thought.