2FA traditionally means relying on one thing you know (i.e. a password) plus one thing you have, or one thing you are (biometrics).
Every single one of my passwords is unique and randomly generated and at least 32 characters, none of them are getting brute forced unless there is a sudden gigantic leap in quantum computing. And if that happens, the world has bigger problems than my passwords.
Having a separate identity factor, something that I own, is not to save me from myself. It's to save me if someone steals my phone or laptop and is able to get into it.
Now we all face different threat models and if your threat model doesn't call for having a totally separate identity factor, great! There's nothing wrong with that. But we don't all face your threat model, and some of us do indeed need a second identity factor that's not stored in the same place as the password.
> Having a separate identity factor, something that I own, is not to save me from myself. It's to save me if someone steals my phone or laptop and is able to get into it.
What if that second factor is physical and stolen along with the things it was supposed to protect? What if your biometrics are cloned in some way?
Having TOTP synchronized across devices, but protected by passwords mitigates those risks as well as the risk that you lock yourself out by loss of a physical token.
> Every single one of my passwords is unique and randomly generated and at least 32 characters, none of them are getting brute forced unless there is a sudden gigantic leap in quantum computing.
One of the threat models that I consider is there being a bug in the particular RNG/encryption algorithm implementation used to get that encrypted password. In that case, my password can possibly be brute forced much faster than purely random guessing.
2FA traditionally means relying on one thing you know (i.e. a password) plus one thing you have, or one thing you are (biometrics).
Every single one of my passwords is unique and randomly generated and at least 32 characters, none of them are getting brute forced unless there is a sudden gigantic leap in quantum computing. And if that happens, the world has bigger problems than my passwords.
Having a separate identity factor, something that I own, is not to save me from myself. It's to save me if someone steals my phone or laptop and is able to get into it.
Now we all face different threat models and if your threat model doesn't call for having a totally separate identity factor, great! There's nothing wrong with that. But we don't all face your threat model, and some of us do indeed need a second identity factor that's not stored in the same place as the password.