[czarit]

This depends on the threat model. Having 2FA in the PW manager defends against someone phishing the password and database leaks on the server side, which are the most common in my threat model. But note that if they can phish your pw, they can probably phish your 2FA as well.

It does obviously not protect against the scenario where someone is breaking into your password vault.

I tend to enable 2FA but conveniently save the token in the PW manager for relatively low equity stuff, just to make it less enticing for an attacker, but use hardware FIDO for everything actually important.

[guerby]

Same here.

TOTP is trivially phishable via evil nginx just like your password, and via social engineering.

FIDO2 is not phishable and you have no secret to give out to social engineering attacks.

[KPGv2]

> TOTP is trivially phishable . . . via social engineering

Is it? I've been on the Internet since the 80s and haven't been phished a single time (despite being the recipient of many obvious attempts). Maybe I could be phished, but I think that's evidence it's not trivial.

I have to wonder how many people sophisticated enough to use and pay for a password manager like Bitwarden could be "trivially" phished.

[lxgr]

That's great for you, but also a sample size of one (probably technically sophisticated) user, i.e. irrelevant to the bigger picture.

The phishability of TOTP really is exactly as bad as that of passwords, except that a once-phished TOTP isn't reusable by the attacker(s), unlike a phished password.

But even one-time access is often catastrophic, especially if it allows the attacker to rotate credentials.