Generally speaking, a password manager is going to be one of the strongest most secure products a person uses.
Most people's threat model doesn't really include having to worry about having both of them in the same tool. If your threat model does, absolutely keep them separate. But I can say, that at least for my team, my biggest issue is really just getting people to use a password manager... I have two users, both of them executive level, that haven't opened their password manager in nearly 4 months.
I'd be far far happier if they used a password manager, even if their 2FA codes were in that same password manager, it would be a significant increase in security over whatever is currently happening.
I've been in the same mindset as you, but I've changed my mind a bit.
Personally and at work, I've started to think about two-ish security classes.
The first are the top security things, e.g. my password manager or my github account. For these, I want my password and my second factor far away from each other and I won't add this second factor to my password manager to make it hard to compromise both of them at once.
But then there are less important accounts and at work, shared accounts even. Here you get a small benefit: Unless you compromise the secret behind the TOTP (which is the one kind you'd generally store in a password manager), if you can see my password + token for some reason, you only have access for a minute or so. Like I can finally type my password into slack without the account being immediately compromised.
And I can get this small edge of security for these less important accounts for almost no effort from the PW manager.
Put differently - if you manage to break into my password manager, you'd get access to my less secure accounts either way, no matter if I store the TOTP or not. But having the TOTP active might make some attack scenarios harder, like if you MITM a login request.
I have often wondered the same thing. I think it boils down to the actual factors being “something you have” and “something you know”, where the former is the possession of the password manager file/access, and the latter is the master password of the pw manager?
I don't get No. 2 either. How are you supposed to get 2FA codes from a password manager? Does it mean use a manager that has an OTP code generating feature?
Yes. Bitwarden, for example, lets you store the 2FA information for accounts. You would still use a separate 2FA app to be able to access Bitwarden, of course. It may slightly lower the safety of using 2FA, but assuming you're using a strong password for your password manager and require 2FA to log into it from new devices, it's a minimal risk, and probably no worse than the alternative of having them on your phone. Plus, if your phone is lost, you don't have to go through the hassle of regaining access to everything.
Yes, 1Password etc can scan the QR code and generate OTP codes.
For shared accounts this is often critical, where say, IT staff need to have 2FA access to manage some line of business cloud app, but you don’t want to setup 20 named users in your IT department in 30 different apps (Adobe, CRM, etc).
Password managers geared toward IT will have good audit trail, so each employee still 2FA’s into the password manager, and it’s logged who viewed passwords/codes when, so you still have named visibility into which IT staff are making which changes.
PassPortal (by N-able) is one I’ve used that did this for IT teams.
This also rubs me the wrong way but at least on 1Password it’s cumbersome enough to add a device to your account that you still need to have something as a factor - an authed device on your account. So the attacker would need one of those and your master password to get at the otp. It’s not the highest level of security but it’s not quite eliminating things back to single factor.
You’re right that these should, ideally, be separated.
It’s a trade off of practicality, in that both in one place is still (usually) an improvement for less technically inclined users who will do well to just use the password manager.
Most people's threat model doesn't really include having to worry about having both of them in the same tool. If your threat model does, absolutely keep them separate. But I can say, that at least for my team, my biggest issue is really just getting people to use a password manager... I have two users, both of them executive level, that haven't opened their password manager in nearly 4 months.
I'd be far far happier if they used a password manager, even if their 2FA codes were in that same password manager, it would be a significant increase in security over whatever is currently happening.