Yes, but where we disagree here is the definition of “2FA.” Storing your password and TOTP code in your password manager is 1FA. Your password manager is a single factor which grants access to your accounts. You can’t think of TOTP as “2FA” inherently just because it takes a different form than a password.
Thus, my argument is that there is simply no difference between storing TOTP in your password manager, and not using TOTP at all. I’ll break it down: There are really only two main benefits to TOTP 2FA:
- Mitigating the risk of password reuse.
- Acting as a physical second factor, when your codes are stored only on a separate device.
The first benefit is also achieved by password managers already, if you simply use randomized passwords for every service. The second benefit is negated when you store your codes in a password manager app, as you said.
This is the reason I’m only focusing on separate 2FA apps. Storing TOTP codes in your password manager simply provides negligible real-world benefit to the point where it doesn’t really matter whether you do it or not.
Storing TOTP codes in your password manager really only mitigates two risks as far as I can tell:
- Replay attacks, which are prevented by HTTPS.
- MITM attacks, which are prevented by HTTPS.
And in either case, both are wildly unlikely anyways compared to easier attacks like phishing, which TOTP doesn’t protect against in the first place. These two attacks were perhaps more relevant a decade ago when TOTP became popular and Let’s Encrypt didn’t exist, but aren’t super relevant today.
For the sake of completeness I’ll note that storing FIDO2 Passkeys in a password manager does make sense and provides significant advantages over just using a password manager alone, so I’m really only referring to TOTP specifically when I talk about how using your password manager for 2FA doesn’t provide an additional advantage over simply using a password manager in the first place.
Although, even in the case of Passkeys it’s still 1FA, the advantage here is that Passkeys are more secure than both passwords and TOTP in other ways.