>> You can log into a password manager from the browser. Now you’re completely pwned.
> Can you elaborate here?
Your point is that if you have both a password manager and a 2FA app, it is functionally as insecure as just having a password manager with integrator 2FA storage. I pointed out how that is worlds apart. If you store your passwords and TOTP together in a password manager, and someone breaches it by say, shoulder peeping, they can just login via the web and now they have full access.
In the case of a separate 2FA app, no such luck for them. They can log in to your password manager, but since they don't have access to your TOTPs, they can't login anywhere (or anywhere important, if you do what I do). This means they can't breach your Apple/Google account or 2FA either.
> Separating the passwords and totp but still using just 1 device, can also be a single point of failure.
But if someone compromises your phone, they are already physically close. At that point can also just yoink your Yubikey out of your bag or pocket, both within less then a meter of your phone :)
In general, theorizing about evil maid attacks is useless because any sufficiently motivated threat actor with access to you and your stuff will breach no matter what, and your unfriendly neighborhood hacker will not have sufficient motivation and/or tech to breach you.
If you mean that as: if your drop your phone in a lake on vacation you're SoL.. well, keep a sheet of backup codes printed and hidden or in a vault and bring it with you on vacation. The backup codes aren't enough for any opportunistic thief, as they'd still need your password and/or access to your e-mail.
> They can log in to your password manager, but since they don't have access to your TOTPs, they can't login anywhere (or anywhere important, if you do what I do). This means they can't breach your Apple/Google account or 2FA either.
This is wrong. TOTP apps like Authy have no authentication. Open the app and the codes are just there, visible to anyone without having unlock it.
If they login to your password manager in a remote location, from their own device, they can't get to your TOTPs if you store them separately in an app on your phone.
> TOTP apps like Authy have no authentication.
This is just wrong. My Authy is locked with separate pincode+FaceID and has been for years.
And in general, if they are in your physical phone (presumably because they know your pincode), they can wreak all sorts of havoc already. They can add themselves as an alternative recovery e-mail to your Apple ID / Google account. Perhaps they can even disable TOTP 2FA via SMS, although I am not to certain of that.
> Can you elaborate here?
Your point is that if you have both a password manager and a 2FA app, it is functionally as insecure as just having a password manager with integrator 2FA storage. I pointed out how that is worlds apart. If you store your passwords and TOTP together in a password manager, and someone breaches it by say, shoulder peeping, they can just login via the web and now they have full access.
In the case of a separate 2FA app, no such luck for them. They can log in to your password manager, but since they don't have access to your TOTPs, they can't login anywhere (or anywhere important, if you do what I do). This means they can't breach your Apple/Google account or 2FA either.
> Separating the passwords and totp but still using just 1 device, can also be a single point of failure.
But if someone compromises your phone, they are already physically close. At that point can also just yoink your Yubikey out of your bag or pocket, both within less then a meter of your phone :) In general, theorizing about evil maid attacks is useless because any sufficiently motivated threat actor with access to you and your stuff will breach no matter what, and your unfriendly neighborhood hacker will not have sufficient motivation and/or tech to breach you.
If you mean that as: if your drop your phone in a lake on vacation you're SoL.. well, keep a sheet of backup codes printed and hidden or in a vault and bring it with you on vacation. The backup codes aren't enough for any opportunistic thief, as they'd still need your password and/or access to your e-mail.