That sounds good but put them in Authy. That lets you have multiple devices whereas Google limits you to one device.

It's great that people use can use one app for both factors but it seems less secure than two apps.

For example, use Authy for TOTP and LastPass for long passwords. That's two things that have to be compromised. And both of them allow you to have multiple devices (for example iPhone and iPad).

Its great functionality but it reduces your security. Say someone somehow figures out your 1Password password and security key - if you store your OTPs in Authy, your passwords are useless (well, less useful anyway). If you store your OTPs in 1Password, they have the keys to the kingdom.

This is technically true, but the most likely scenarios that result in the discovery of your secret key (128bits of entropy) + master password (?? additional bits) involve things like a device compromise. If your machine is compromised, you’re probably already exposed to things like session cookie stealing. At that point your attack surface is already blown wide open.

The biggest thing 2FA protects against is credential stuffing. If you’re using a password manager and have high entropy site-unique passwords, the additional entropy by TOTP is mostly moot anyway.

TBH for me my threat model looks like this:

Passwords - protect against unauthorized access of my service accounts, and 1Password - can be compromised via logging or breaches or just plain peeping

Secret key - acts as 2FA for my 1Password and thus protects my master password from unauthorized use - can be compromised if someone steals the physical paper on which it's stored

TOTP - protect against unauthorized use of my service accounts - can be compromised if someone compromises my mobile phone or phone number. Highly unlikely someone would spend that kind of effort and €€€ on me though

All in all its a pretty nicely tiered system. If someone gets my master password, they still need the secret key. If a burglar steals my secret key, they don't have my master password. If someone somehow compromises both of those, they still don't have access to my TOTPs and thus can't login into any of my 'cricital' accounts (basically e-mail, hosting providers, finance, etc. etc.)

Now imagine you have an malicious spouse or housemate or whatever: they could easily learn your master password by peeping over your shoulder, piecing it together bit by bit (ha). They have a lot of opportunity to search for your secret key as well. If you put your TOTPs on 1Password, you're boned. But if you have them in an authenticator app, even having access to your password manager means jack because they can't login without your TOTPs.

I know one of the big faux pas is to talk about your security but most of this stuff can be deducted pretty easily so I don't feel too exposed.

Wow that’s awesome! I had no idea 1Password had this functionality so thanks for sharing. I just had a rough time after upgrading my phone dealing with Google Authenticator since I hadn’t realized my Auth info would not migrate along with the rest of my data...

Yes that's what I've been doing after being burned by Google Authenticator once. Not to mention I actually prefer the UI design of 1Password.