I always thought that the benefit of the physical device was that it was decoupled from the main device. If someone steals my laptop, for example, they won't be able to access my MFA secured accounts unless they ALSO steal my phone (and are unable to lock it).
cyphar|3 years ago
Personally my view is that (if you're using a password manager with a unique password per-site) 2FA primarily protects you when you have to input your password on an untrusted system that may have a keylogger. In that case it doesn't really matter where you store the TOTP key (presumably you're not going to unlock your password database on that machine).
To be fair, in the case of a security bug in the password manager (such as the few previous LastPass bugs in this vein), you are slightly more protected. But I use KeePassXC which has a far more segregated design so I'm not as worried about this as I would be if I was using a password manager entirely integrated into the browser (either built-in or an extension).
(Though these days I primarily use U2F/WebAuthn if the site supports it.)