- Eavesdropping on you, doesn't happen because you use the password manager's autofill.
- Hacking service X, TOTP doesn't matter. They'll have the TOTP shared secret, but who cares anyway, they have access to your whole account.
- Using the same password across sites -> shouldn't happen either, this is why you are using a password manager.
- Phishing: while they cannot access your TOTP secret, they can just ask you a TOTP code while phishing as well and log onto your account.
So what is this scenario where an attacker knows your password, needs your TOTP, but doesn't have it? The primary scenario I can think of is where they somehow compromised your password manager, but you stored your TOTP secrets on a separate, uncompromised device (like your phone).
>- Eavesdropping on you, doesn't happen because you use the password manager's autofill
Not necessarily always, I could also copy paste from the password manager (e.g. for some app that doesn't support the autofill), write it from memory at some point, and so on.
Password manager just means "place to store passwords safely", it doesn't mandate the passwords are generated by it, that autofill and browser extensions are used, and so on.
>- Hacking service X, TOTP doesn't matter. They'll have the TOTP shared secret, but who cares anyway, they have access to your whole account.
They can (and often do) hack and get the passwords, but not at the same time have access to the account data. E.g. just hack the auth, or have the password file/db leak, etc.
>- Using the same password across sites -> shouldn't happen either, this is why you are using a password manager.
Doesn't matter, can still happen anyway. Not all passwords were created with the password manager, and some someone might not have bothered to change once he added them there.
>- Phishing: while they cannot access your TOTP secret, they can just ask you a TOTP code while phishing as well and log onto your account.
That's still about them not having and needing your TOTP.
>So what is this scenario where an attacker knows your password, needs your TOTP, but doesn't have it?
For starters, the case where they "ask you a TOTP code while phishing" and you don't give it to them.
It's not mandatory that you're prone to their phishing.
> - Eavesdropping on you, doesn't happen because you use the password manager's autofill.
I rate this more likely and it’s one reason I still use TOTP stored in the same place as the password for other services.
A lot of sites are susceptible to cdn JavaScript compromises, and at least with TOTP stored in the same place as the password, a password replay attack has a very tight window of usability
Let's work through the scenarios:
- Eavesdropping on you, doesn't happen because you use the password manager's autofill.
- Hacking service X, TOTP doesn't matter. They'll have the TOTP shared secret, but who cares anyway, they have access to your whole account.
- Using the same password across sites -> shouldn't happen either, this is why you are using a password manager.
- Phishing: while they cannot access your TOTP secret, they can just ask you a TOTP code while phishing as well and log onto your account.
So what is this scenario where an attacker knows your password, needs your TOTP, but doesn't have it? The primary scenario I can think of is where they somehow compromised your password manager, but you stored your TOTP secrets on a separate, uncompromised device (like your phone).