> If the password is compromised due to a problem on the application side, they still can't get in to your account without the TOTP code.
But as you say, since I'm using a password manager, this doesn't feel like a legitimate concern. If the application's database leaks, my password is still safe, because no one will crack a randomly generated 20+ character password.
> Maybe a more relevant threat is password gets compromised from a MITM attack, in which case they still don't have access to your TOTP
But they'll have the code, so as long as they use it right away, they can still get into my account and download my data / spam my contacts / whatever.
But as you say, since I'm using a password manager, this doesn't feel like a legitimate concern. If the application's database leaks, my password is still safe, because no one will crack a randomly generated 20+ character password.
> Maybe a more relevant threat is password gets compromised from a MITM attack, in which case they still don't have access to your TOTP
But they'll have the code, so as long as they use it right away, they can still get into my account and download my data / spam my contacts / whatever.