I'd see it as a single point of failure, but not necessarily a single factor. If the password is compromised due to a problem on the application side, they still can't get in to your account without the TOTP code.
Of course the threat model is kinda skewed because this case is more applicable when one's reusing passwords or using weak passwords, which shouldn't be happening if you're using a password manager.
Maybe a more relevant threat is password gets compromised from a MITM attack, in which case they still don't have access to your TOTP
> If the password is compromised due to a problem on the application side, they still can't get in to your account without the TOTP code.
But as you say, since I'm using a password manager, this doesn't feel like a legitimate concern. If the application's database leaks, my password is still safe, because no one will crack a randomly generated 20+ character password.
> Maybe a more relevant threat is password gets compromised from a MITM attack, in which case they still don't have access to your TOTP
But they'll have the code, so as long as they use it right away, they can still get into my account and download my data / spam my contacts / whatever.
Of course the threat model is kinda skewed because this case is more applicable when one's reusing passwords or using weak passwords, which shouldn't be happening if you're using a password manager.
Maybe a more relevant threat is password gets compromised from a MITM attack, in which case they still don't have access to your TOTP