The only true 2nd factor is a setup where your totp codes live on a separate piece of physical hardware. If your totp codes are in an app on your phone, and your password is in a different app on your phone, you're not pure 2nd factor despite convincing yourself that you are. Anything that is convenient is not real 2FA. Real 2FA needs to be pick two of: a password in your head, a verifiable biometric signature, a code/key on your phone or separate physical hardware yubikey.
I'm not saying I think everyone needs real 2FA. I think 99.999% of the time storing your 2FA codes in your PW manager, or just moving on to Passkeys, is the right answer. 2FA is a hack put in place to mitigate passwords being relatively insecure and phishable. It's supplanted by Passkeys.
I think you're letting perfect be the enemy of good. It doesn't have to be pure 2FA to be better than 1FA. Being in separate apps does give some benefits. It's always going to be harder to compromise two apps than it is to compromise just one of them (even if the difficulty increase is marginal, it's non-zero). Often simply not being low-hanging fruit is enough to save you from an attack.
There are plenty of things for which a 2FA in PW manager is fine, but the most important things I think it's an unnecesary and regretful reduction in security. For example, email account. Email is the "forgot password" way to get access to almost everything, so it's worth a trifling inconvenience in having to load your 2FA into a different app. Same with things like AWS, Cloudflare, and other high-value targets. For the vast majority of people, keeping your Twitter seeds in your PW manager is fine, but it's foolish to do that with your email and other high-value targets, and IMHO if you're already going to have to have two apps, you might as well just standardize and keep the seeds in your authenticator app, and your passwords in your vault. YMMV
I did read your second paragraph. There is some ambiguity, but I ultimately decided you weren't agreeing with me because you said (emphasis added):
> I think 99.999% of the time storing your 2FA codes in your PW manager, or just moving on to Passkeys, is the right answer.
If you're storing your 2FA codes in your PW manager, then you're NOT using separate apps. You're using the same app (your PW manager). My argument is that you should use separate apps for the things that matter, like your email (which can be used to get access to almost every other account), and since you're already using separate apps for those things, you might as well just be consistent so you don't have to remember where each TOTP token is stored.
I see three levels we've discussed:
1. Pure 2FA using hardware token or equivalent (which I agree is rarely needed)
2. Impure 2FA but separate app for storing passwords and TOTP tokens (which I'm advocating for)
3. Storing TOTP tokens in PW manager (which you appear to be arguing for in 99.999% of cases, which is basically all of them)
If you are actually advocating for level 2, then we agree, but from reading your 2nd paragraph it seems pretty clearly to be arguing for level 3.
> Real 2FA needs to be pick two of: a password in your head, a verifiable biometric signature, a code/key on your phone or separate physical hardware yubikey.
My thumbprint isn't stored on my phone, so I have two factors.
From the PCI Security Standards supplement on MFA,
> The issue with authentication credentials embedded into the device is a potential loss of independence between factors—i.e., physical possession of the device can grant access to a secret (something you know) as well as a token (something you have) such as the device itself, or a certificate or software token stored or generated on the device. As such, independence of authentication factors is often accomplished through physical separation of the factors; however, highly robust and isolated execution environments (such as a Trusted Execution Environment [TEE], Secure Element [SE], and Trusted Platform Module [TPM]) may also be able to meet the independence requirements.
So your phone can constitute a token, while the biometric constitutes the second factor. I don't know about Apple phones, but Google's requirements for biometrics are:
> Capturing and recognizing your fingerprint must happen in a secure part of the hardware known as a Trusted Execution Environment (TEE).
> Hardware access must be limited to the TEE and protected by an SELinux policy.
> Fingerprint data must be secured within sensor hardware or trusted memory so that images of your fingerprint aren't accessible.
I think you misunderstood me. I agree that biometric plus password or device key would constitute two factors. I perhaps believe that you can’t really trust the device to have performed biometric verification without some sort of software attestation. So if the security if your protocol depends on two factor, you’d need to yes have a biometric signature or remote attestation that a biometric check has been performed.
That's a pretty user-hostile attitude. Sure, some combinations of factors are pretty unergonomic, but I'd call that a bug, not a feature.
It's also incorrectly suggesting that somehow complexity/painful usability automatically yields security, while usually the opposite is true:
An effective secure authentication solution absolutely must consider usability, or it's doomed to be circumvented by users in one way or another (either via some insecure practice, or by your users simply ceasing to be your users).
I'm not saying I think everyone needs real 2FA. I think 99.999% of the time storing your 2FA codes in your PW manager, or just moving on to Passkeys, is the right answer. 2FA is a hack put in place to mitigate passwords being relatively insecure and phishable. It's supplanted by Passkeys.