[ori_b]

If you log into accounts from your phone, that's also 1fa in the same way. And if you keep your phone in the same place as your laptop, so it can get stolen at the same time, that's also effectively 1fa.

The threats that TOTP protects against are ones that don't involve losing your device. For example, if somebody breaches a password database or phishes your password, TOTP codes prevent them from using the leaked credentials.

Phishing/bulk password dumps are more common issues than device theft.

[bkettle]

It depends on the phone, but for many phones the security story remains very good even when lost, unless someone knows your passcode. So it’s still “something you know” protecting the password and the TOTP code, but it’s different things that you know and strict rate-limiting on the phone side that wouldn’t be possible on an internet-exposed authentication system makes it extremely difficult to guess the phone passcode.

[philistine]

I don’t think we need to couch it in unclear terms: Apple and Google have made very secure devices that happen to be phones, with Apple’s computers as locked rock solid as their phones now.

It’s Microsoft that’s stuck in unsafe grounds, and it’s partly the cultural apathy of their user base that’s at fault.

[dngray]

> If you log into accounts from your phone, that's also 1fa in the same way.

Not quite, there's a lot more sandboxing on phones than what might go on with desktop.

[johnisgood]

Not on my desktop. It is much more sandboxed than any smartphones.

[ori_b]

That sandboxing doesn't help if your phone gets stolen.

[tim333]

iphones are pretty secure against theft unless they get your pin or some such. I have two friends who forgot their own pins and the data was unretrievable in spite of their best efforts.

[lokar]

If you have a Mac, what about using keychain? It has a cli/api and is protected by the Secure Enclave (so 2nd factor to unlock that)

[Marsymars]

> Secure Enclave (so 2nd factor to unlock that)

How so?

[lokar]

You need the fingerprint sensor to unlock it

[Marsymars]

I don't think you do. My Mac Mini has the same Secure Enclave as other devices with the M4/A18 SoC, and it literally doesn't have a fingerprint reader (or Face ID).

The Secure Enclave is used to handle data around biometrics, but biometrics aren't a requirement for its use.

Biometrics on Apple devices are generally a convenience method so that you don't have to type your strong password every time, they're not a second factor to the password.

[philipwhiuk]

Or rather, the people interested in phone/device theft aren't expecting and aren't after your TOTP keys.