I could store the secret in my password manager if I paid for Bitwarden Premium (and at $10 a year, price isn't really the issue), but then what is even the point? If my password and my secret are stored in the same place then that's really just a single factor, so I'm making the login process more annoying for no reason.

I'd see it as a single point of failure, but not necessarily a single factor. If the password is compromised due to a problem on the application side, they still can't get in to your account without the TOTP code.

Of course the threat model is kinda skewed because this case is more applicable when one's reusing passwords or using weak passwords, which shouldn't be happening if you're using a password manager.

Maybe a more relevant threat is password gets compromised from a MITM attack, in which case they still don't have access to your TOTP

> If the password is compromised due to a problem on the application side, they still can't get in to your account without the TOTP code.

But as you say, since I'm using a password manager, this doesn't feel like a legitimate concern. If the application's database leaks, my password is still safe, because no one will crack a randomly generated 20+ character password.

> Maybe a more relevant threat is password gets compromised from a MITM attack, in which case they still don't have access to your TOTP

But they'll have the code, so as long as they use it right away, they can still get into my account and download my data / spam my contacts / whatever.

How many well-formed passwords can and will you remember? How often are you willing to change them afterwards? How secure is your 2FA app? How secure is your device against keylogging? How sure are you no one will watch what you've typed in or when you reveal it to fix a typing error? And so on. It isn't as if there are no issues with the classic way.

That's why you maintain the knowledge-possession separation at the access to your password manager (file) with a combination of a password and either a key file or hardware key.

If you store your secrets in encrypted files rather than specialized server solutions, it's also easier to separate and store them in different locations.

Sorry, I don't understand where you're going with your questions. I do use a password manager (Bitwarden). I do not use 2FA. I don't understand how using so-called 2FA but storing my secrets in the same place as my passwords would make me more secure.

You should reread your own posts. I'm only responding to what you write yourself.

If you do not understand the purpose 2FA, there are plenty of online resources available.

As I explicitly wrote, you can store secrets in separate places, and if you don't, you still protect yourself against password recovery attacks or interception and add redundancy.

Really 2FA is just a complex way to give users a strong unique password. Everything else about it is security theatre (e.g. why do you care about your password and secret stored in the same place, when your session cookie is just stored in one place and all the attacker needs)

Well, and that's why I'm not eager to enable 2FA just to store the secrets in the same place I already store my passwords (Bitwarden).

SMS is a much bigger issue if you are in another country, temporarily lose access to your phone, or work in a building without phone reception. It's prone to SIM swaps and could be intercepted by other apps on your phone. It requires having a fixed, serviced phone number, which people don't always have: children, homeless people and recent immigrants might struggle with that.

All of these scenarios happened to me, and I'm a fairly normal person.

SMS isn't an issue because you can just take out the SIM card and insert it elsewhere. What you're talking about wasn't the subject I was addressing.