If the site is compromised, then the hackers could have stolen the TOTP secrets as well as the passwords. How do you think the site verifies TOTP codes? If you reuse passwords while using a password manager, you are asking for it, though.
A full hack of every part of the service is not the only way a user’s password could get known to an attacker. Could be MiTM, could be typo-squatted, etc
If a site is that compromised no measure of auth is gonna help, so little use worrying about it.
A lot of the technology you use to connect over VPNs or over the Internet already addresses MitM. If it’s typo-squatted, you are sort of using password managers wrong. You do have the option of setting up TOTP elsewhere like on your phone authenticator so the point of failure isn’t on your side, I just think it’s sort of funny how easily you can make it be one.
If the site is compromised, then the hackers could have stolen the TOTP secrets as well as the passwords. How do you think the site verifies TOTP codes? If you reuse passwords while using a password manager, you are asking for it, though.
A full hack of every part of the service is not the only way a user’s password could get known to an attacker. Could be MiTM, could be typo-squatted, etc
If a site is that compromised no measure of auth is gonna help, so little use worrying about it.
A lot of the technology you use to connect over VPNs or over the Internet already addresses MitM. If it’s typo-squatted, you are sort of using password managers wrong. You do have the option of setting up TOTP elsewhere like on your phone authenticator so the point of failure isn’t on your side, I just think it’s sort of funny how easily you can make it be one.