[shortcake27]

Storing OTPs in your password manager is like 1.5FA. It still provides protection against phishing, brute-forcing, socially engineered password resets, so it isn’t totally useless. But it doesn’t protect against your vault getting compromised.

I keep super important 2FA codes (email, github etc) elsewhere, and for less important services, I store the OTP in my password manager.

[UncleMeat]

OTPs don't protect against phishing. You still type the TOTP in a browser window that sends it off to the attacker. Phishing SDKs automatically handle proxying the password over and then proxying the TOTP over.

[shortcake27]

Depends how sophisticated the attack is. Plenty of attacks aren’t. I could have been clearer in my comment, but what I meant was “can protect” not “guaranteed protection”, I apologise if it was taken that way.

On the topic of phishing and OTPs, storing the OTP in your password manager could actually help with phishing (opposed to storing it in an authenticator), because it will only autofill on the correct domain. This can be the difference between compromising a password or the whole account.