My password manager, as is standard for most of them, will not fill or show a password if the URL bring visited doesn't match the credential. Thus, a credential not showing is a huge red flag. The workflow is pretty standardized so any deviation is a big red flag.
Maybe you can be more specific about the attack flow you are imagining and how it will work technically to bypass my controls.
To answer your question, no and I provided details. It literally provides a second, non portable factor with a different vulnerability surface.
> My password manager, as is standard for most of them, will not fill or show a password if the URL bring visited doesn't match the credential. Thus, a credential not showing is a huge red flag. The workflow is pretty standardized so any deviation is a big red flag.
I agree.
> Maybe you can be more specific about the attack flow you are imagining and how it will work technically to bypass my controls.
Can you be more specific about the attack that your password manager doesn't solve that your TOTP does? The attack I'm suggesting is already solved by your password manager.
I've believe I've already written that but it is that my password manager gets compromised. It is not perfectly secure and has failure points. Given that it is separate from the second factor a successful attack against the password manager still leaves an attacker unable to login without a separate compromise of my TOTP code. Of course that can also be compromised but two compromises is strictly more difficult than one.
Right, so it's "password manager is compromised" or "password is reused", right? I'm pretty skeptical of these mattering relative to phishing, which is radically more common.
Maybe you can be more specific about the attack flow you are imagining and how it will work technically to bypass my controls.
To answer your question, no and I provided details. It literally provides a second, non portable factor with a different vulnerability surface.