I keep my TOTPs (2FA codes) stored in a password manager, but I’ve also activated TOTP for the manager itself. As a result, I use another TOTP app on my phone to generate codes for logging into the password manager. Given this setup, can I accurately conclude that because accessing my password manager necessitates having access to my phone, there hasn’t been any reduction in security despite storing my TOTPs within the password manager?
Yes, you still have 2 factors (assuming obviously the password manager requires a password) so there has not been a reduction in security. Your attack surface is also the same since your previous setup would have had the all TOTPs on the same phone and all passwords in the same manager anyway (so compromise of both yields the same result in either scenarios).
3 Likes