> People have started storing their TOTP tokens in their password managers, which effectively reimplements single-factor authentication!
The thing is that many services are now requiring TOTP in places where I don't want it, since I was already using a strong/unique password, and the TOTP requirement is effectively just to protect the service from having to deal with users who get their passwords stolen. If you're going to make me use TOTP where I don't want it, I'm going to automate its input.
I think you'd be drastically better off not wasting effort with a strong/unique password on places you "don't want" MFA, in favor of using MFA, which is always better at defeating an attacker than any password.
The thing is that many services are now requiring TOTP in places where I don't want it, since I was already using a strong/unique password, and the TOTP requirement is effectively just to protect the service from having to deal with users who get their passwords stolen. If you're going to make me use TOTP where I don't want it, I'm going to automate its input.