[hackerbrother]

Ultimately, you have to store your backup codes somewhere. So the only solution besides using your password manager is using a second password manager. Or not using a password manager to save off your backup codes, which has its own disadvantages.

There's lots of cases where 2FA reduces to 1FA. E.g. logging into a website on your mobile phone, and getting your TOTP or SMS code on that same phone. In fact-- that case is so common I wonder if we should just get more used to the idea of 1FA, with smartphone passkeys/biometrics/SSO being the auth factor. As it stands, if you compromise someone's smartphone (and have their smartphone PIN), the odds are great you can autofill any password you like on their phone and pull up any needed 2FA tokens as well.