Yes: to a first approximation, a second factor is something you are (or have), while a first factor is something you know. A second factor doesn't need to be unique, although uniqueness has separate benefits (especially when the unique factor is hard to clone or access physically).
TOTP isn't an ideal second factor, for most of the reasons above (combined with poor adherence to the standard, meaning that only the most basic subset of features tend to work). But is is still a second factor, unless you can do HMACs in your head :-)
I'm going off the assumption that you mean storing your password and TOTP secret in the same app.
Personally, I think storing your password and TOTP secret is worthwhile, but it ultimately depends on your threat model.
If your threat model is someone walking up to your unlocked desktop and unlocked password manager, then it's not very effective. That being said, I believe a determined enough attacker will always win -- just be more annoying to pwn than others and you will sift out the majority of attackers, imo.
But, if your threat model is that a website you use suffers a data breach and your username/password hashes are stolen, you have an extra line of defense with that second factor. This pretty much happens or will happen to everyone with online accounts at some point.
So my long-winded answer is that I do still consider it two factor auth, and I do think it's worthwhile -- but all effective security should be layered with extra defenses when possible.
EDIT: fixed some grammar, added some extra context.
It's also worth noting that the "physical attacker" scenario is outside of most people's threat models, even if they think that it isn't: most people leave their physical second factors plugged into their devices or on their desks, and interposing between a user's computer and their keyboard doesn't require any technical ability (only the ability to plug and unplug a USB).
The risk with same-device (or same-manager TOTP) isn't necessarily in a physical adversary (who's going to win anyways), but in a digital adversary who can run code (or read files) on one device but not several. That's one of the main reasons users are encouraged to use physical factors or, lacking that, an on-device factor that requires some kind of OS-mediated privileged interaction.
While PCI DSS 4.0 says nothing specific about TOTP, it on page 171 also has this phrase about certificates:
"A digital certificate is a valid option for “something you have” if it is unique for a particular user".
So it is not an unreasonable analogy to claim that the TOTP seed stored in a desktop application is also "something that you have", as not having it prevents you e.g. from logging in from your friend's laptop.
woodruffw|2 years ago
TOTP isn't an ideal second factor, for most of the reasons above (combined with poor adherence to the standard, meaning that only the most basic subset of features tend to work). But is is still a second factor, unless you can do HMACs in your head :-)
zokier|2 years ago
But the typical totp-in-password-manager setup is missing the other factor, there is nothing you know in such setup.
Xaiph_Rahci|2 years ago
Ok. Thanks for sharing your thoughts.
heywoodlh|2 years ago
Personally, I think storing your password and TOTP secret is worthwhile, but it ultimately depends on your threat model.
If your threat model is someone walking up to your unlocked desktop and unlocked password manager, then it's not very effective. That being said, I believe a determined enough attacker will always win -- just be more annoying to pwn than others and you will sift out the majority of attackers, imo.
But, if your threat model is that a website you use suffers a data breach and your username/password hashes are stolen, you have an extra line of defense with that second factor. This pretty much happens or will happen to everyone with online accounts at some point.
So my long-winded answer is that I do still consider it two factor auth, and I do think it's worthwhile -- but all effective security should be layered with extra defenses when possible.
EDIT: fixed some grammar, added some extra context.
woodruffw|2 years ago
The risk with same-device (or same-manager TOTP) isn't necessarily in a physical adversary (who's going to win anyways), but in a digital adversary who can run code (or read files) on one device but not several. That's one of the main reasons users are encouraged to use physical factors or, lacking that, an on-device factor that requires some kind of OS-mediated privileged interaction.
Xaiph_Rahci|2 years ago
Yes, correct.
> So my long-winded answer is that I do still consider it two factor auth.
Ok, thanks for sharing your thoughts.
patrakov|2 years ago
While PCI DSS 4.0 says nothing specific about TOTP, it on page 171 also has this phrase about certificates:
"A digital certificate is a valid option for “something you have” if it is unique for a particular user".
So it is not an unreasonable analogy to claim that the TOTP seed stored in a desktop application is also "something that you have", as not having it prevents you e.g. from logging in from your friend's laptop.
Xaiph_Rahci|2 years ago
Oh, ok. This is very convincing. Thanks for sharing.
pedrogpimenta|2 years ago
Xaiph_Rahci|2 years ago
If you have two different passwords, aren't they still only one factor (knowledge)?
> specially if you have...
You mean to say in case the password and the TOTP seed are stored in the same password manager, then it is no longer 2FA?