If you're already using a password manager with secure randomized passwords, you're not vulnerable to credential stuffing unless that specific service had a breach. I suppose TOTP may still protect against unsophisticated phishing, but only as long as the attacker doesn't phish a TOTP code at the same time and pass it straight along to the service.
Are there other threats that TOTP-in-password-manager can protect against that the randomized passwords don't already?
>Are there other threats that TOTP-in-password-manager can protect against that the randomized passwords don't already?
tbh the UX problem of 2fa for "I use random passwords and am not vulnerable to credential stuffing" users is a pretty big reason to stick TOTPs in your password manager.
Security is always a series of trade-offs, and 2fa brings some hideous trade-offs in many sites (well over half only allow one at a time, for example, and then you lose access permanently). TOTP with a standard like this lets you choose, rather than the site choosing for you.
Right, and if an attacker can dump password hashes they can likely dump TOTP seeds as well. With that level of database access the attacker may be able to steal all your info from the impacted service, so talking about the password may even be a distraction since all your data is already stolen.
Yes. A bunch. Service accounts that need to be shared between a limited group of people.
TOTP + something like 1P moves this from
happy-monday-an-infra-engineer-left-time-to-rotate-100-accounts to something you can just do periodically as you like.
Are there other threats that TOTP-in-password-manager can protect against that the randomized passwords don't already?