| Unconventional opinion here. Passwords in the password manager are not "something you know" anymore. They are "something you have". So, no matter whether the TOTP codes are stored in the same app or a separate device, you can no longer properly call them 2FA. It's 2x "something you have" in either case. EDIT: user "jerf" in the same comment thread says that it is 2x "something you know". The distinction whether something stored counts as "something you know" or "something you have" does not really matter. In either case, it is 2x the same type of a factor. --END EDIT. From the "difficulty to compromise something" standpoint, you are, of course, right that storing the TOTP seed in a separate device is better. But look, this is not the primary reason why websites need to implement TOTP. The very fact that hackers need to compromise your device in order to get access to your account is already indicating a higher-than-usual security level, even without 2FA, and the article fails to notice this. Besides, the article only presents a user-centric viewpoint, while the viewpoint of a website owner would be more relevant here. The main problem solved for real by TOTP is that users select stupid passwords like "Zhong+wen" that are guessable yet still pass complexity requirements, or reuse passwords on multiple websites (and your website cannot check for that), thus enabling compromise of the user's account on your website if another website gets hacked. The main security reason (from the website viewpoint, not from the user's viewpoint) for TOTP introduction is, thus, to introduce a high-entropy factor which is (unlike a password) not chosen by the user, guaranteed not to be reused elsewhere, and thus cannot be guessed or compromised without access to the user's devices. This benefit is not invalidated by you storing the 2FA secret in the password manager. |