Respectfully, I believe this is very poor advice based on a misconception.
Second, there’s quite literally zero increase in security when putting 2fa secrets in your password manager. What possible attack scenarios would it protect against?
It would provide protection in any attack scenario where any other form of (TOTP) would protect you, except for the unlikely scenario of a properly secured vault being breached. When comparing between TOTP stored in your vault versus TOTP (or SMS or e-mail), storing TOTP in the vault is at least as secure as the others in all areas except for one of the less likely scenarios (a vault breach).
As you correctly stated hardware keys are a separate topic that shouldn’t be grouped into a comparison of TOTP stored in the password manager vs TOTP in a standalone app, so lets leave them out of this discussion.
Compared to TOTP through your password manager, you will be marginally more secure with a separate (password protected) TOTP app against one threat vector, and marginally more secure with hardware 2fa than any form of TOTP. But the difference is marginal.
In a nutshell my perspective is this: If you want the absolute highest security a hardware key/token is the best choice for a 2nd factor. But if TOTP is sufficiently secure for your threat model, the difference in security between a standalone TOTP app and using your password manager as a TOTP app is at best marginal, and you should choose whatever is most comfortable/convenient for you or whatever makes you feel comfortable.
We wouldn’t be removing it unless there was something wrong with it. After all it is the only option with self hosting capability.
As for storing TOTP codes in a hosted password manager, it’s not ideal because it’s really reducing security to one thing - authentication to your password manager. Also we wouldn’t suggest storing once-use “backup codes” in there either.
For once use-backup codes I don’t store these on my devices. Something like a LUKS/VeraCrypt container on a few USB sticks or backed up offsite is enough. You could even attach the LUKS container to your password manager and that would not reach the filesize limit, after all the backup codes are only text files and there is no reason the container couldn’t be 50MB. That way even if access to your password manager was gained the encrypted file would still require a separate password. Obviously don’t store that password in Bitwarden, if you do that.
For convenience however I can see the reason why people might just use a password manager for storing TOTP codes. If you’re going to do that I would think about the value of such codes, for example I would not store a domain/email TOTP secrets in a password manager. It would be totally reasonable to have Aegis with those two things in it, while storing other less valuable TOTP codes in Bitwarden. The exported Aegis JSON file could be added to your LUKS container however for backup. Another good thing to add there would be your LUKS volume headers.
TOTP codes are not the strongest way to do MFA because they rely on a shared secret. FIDO based security such as using a security key is always the better approach because it provides attestation and doesn’t require the service to hold any private secrets, that makes it the “best” security.
I don’t know why this is seemingly impossible to find out, but I want to know if you link a paid Proton Pass account—not Unlimited/Business/Visionary, just the standalone Pass subscription—to a free SimpleLogin account, does it upgrade that SimpleLogin account to Premium status?
If anyone has tested this and knows for sure, please let me know.
Tried the Proton Pass app and extension as an Unlimited user. The extension version is nicer than Bitwarden for sure, it detects some website’s login field better, also offers a nice looking drop-down menu.
The app version however… is a bit lacking. One thing that always bugged me was the incomplete autofill implementation in password manager apps on android. Bitwarden got it right for both Firefox and Chrome(ium). For Proton Pass, it has some issues for usernames in Brave. Works for Firefox and Vivaldi though.
It is also mildly annoying the vault can only be managed from the extension and the app, visiting pass from the web just shows you the settings page.
I’m not really sure if I want to use it, but I’m tempted to pay the promotional price of $12 per year for the premium service. I quite liked the aesthetics, but I don’t use Proton’s email service much, so I wouldn’t use the hide-my-email system as often.
Generally, I use Bitwarden, and I like that you can paste the API key for the DDG hide-email service, but I have my doubts about this Proton service.
On my pixel 7 pro it constantly crashes when loading in start up of the app. Reinstall makes it work again for about half a day and then it’s crashing again. I assume it is something to do with the search feature and the local db being full but no way to asses that.