> this completely invalidates the 2FA of TOTP if your password manager get broken into
I think that's the big "if". If you assume the password manager is secure (which something clearly wasn't in this case, but that seems like an outlier), TOTP secret in the password manager still secures the account.
Is such a setup as protective as a separate storage method? No, but it's leagues more convenient. A cloud-based PW manager also solves the problem of a lost/broken/new phone causing you to lose all of your 2FA setups. Some 2FA apps do as well (Authy, iirc), but trust me when I say people lose 2FA codes _all the time_. And then 2FA needs to be disabled by support, which is its own can of worms.
The best security measures are the ones people actually use. If not having to use a separate app is the convenience people need, then I think it's totally worth it.
> I know the show was on nearly 20 years ago but I only watched it 2 months ago for the first time
That's why IMO significant spoilers should be marked indefinitely. Sure it's an old show, but tons of people were too young to have watched it at the time. They deserve a fighting chance at seeing it unspoiled.
There may be exceptions to this rule for spoilers that are a core part of culture (say, parental relationships in the Star Wars universe), but it's free to mark spoilers as such. People can feel free to ignore such warnings if they'd like.
Presented without comment: I always have my phone in a case and have never broken anything physical on any phone. My launch-day iPhone 8 still looks great.
Everything reflects light, but not everything reflects it clear enough to read documents through. I haven't held a CD in ages, so it it's possible that folks don't remember exactly how reflective they are. ¯\_(ツ)_/¯
I think that's the big "if". If you assume the password manager is secure (which something clearly wasn't in this case, but that seems like an outlier), TOTP secret in the password manager still secures the account.
Is such a setup as protective as a separate storage method? No, but it's leagues more convenient. A cloud-based PW manager also solves the problem of a lost/broken/new phone causing you to lose all of your 2FA setups. Some 2FA apps do as well (Authy, iirc), but trust me when I say people lose 2FA codes _all the time_. And then 2FA needs to be disabled by support, which is its own can of worms.
The best security measures are the ones people actually use. If not having to use a separate app is the convenience people need, then I think it's totally worth it.