Proton Pass is an open source, end-to-end encrypted password manager app. Create and store passwords, email aliases, 2FA codes, and notes on all your devices
Not fully accurate. The 2FA still prevents issues such as credential stuffing or bruteforcing, which might not depend on you. Of course, these risks are very limited if you use random unique passwords (as it makes sence since you are using a password manager).
Also 2FA is anyway there for the password manager, and if you have a session on, chances are the same applies for the target app (for example, your email). So it’s not completely useless.
This said, I agree with the general principle. I personally use yubikeys where I can, including to store the TOTP codes (I never liked the phone to be 2FA device that much…)
Yeah, that’s what I said one line after. However there are also other corner cases (very unlikely) such as shoulder diving or a video recording, or people simply not using random unique passwords (for example because they chose the password before and they don’t want to rotate it). In general I agree with the principle that is not 2FA if it’s all in one place, but it’s also quite a corner case that the password manager is pwned alone (i.e., and not the target services), and in any case it’s not like not having 2FA at all.
Not fully accurate. The 2FA still prevents issues such as credential stuffing or bruteforcing, which might not depend on you. Of course, these risks are very limited if you use random unique passwords (as it makes sence since you are using a password manager).
Also 2FA is anyway there for the password manager, and if you have a session on, chances are the same applies for the target app (for example, your email). So it’s not completely useless.
This said, I agree with the general principle. I personally use yubikeys where I can, including to store the TOTP codes (I never liked the phone to be 2FA device that much…)
deleted by creator
Yeah, that’s what I said one line after. However there are also other corner cases (very unlikely) such as shoulder diving or a video recording, or people simply not using random unique passwords (for example because they chose the password before and they don’t want to rotate it). In general I agree with the principle that is not 2FA if it’s all in one place, but it’s also quite a corner case that the password manager is pwned alone (i.e., and not the target services), and in any case it’s not like not having 2FA at all.