Why your password manager shouldn't hold your MFA codes

security opinion mfa

1Password, Bitwarden, and Dashlane all offer built-in TOTP storage. It’s convenient — one app, one unlock, and you have both your password and your 2FA code. But convenience is exactly the problem.

Multi-factor authentication exists because of a simple principle: compromise of one factor shouldn’t compromise another. When your password and your second factor live in the same vault, protected by the same master password, you’ve collapsed two factors into one.

One vault, one breach

The entire point of 2FA is defense in depth. If an attacker gets your password, they still need your phone. If they get your phone, they still need your password. Two separate things, in two separate places, with two separate attack surfaces.

When both factors live in your password manager:

  • A single master password compromise exposes everything
  • A single device compromise exposes everything
  • A keylogger on your laptop captures your master password — and now has both factors
  • A phishing page that captures your password manager session has both factors

You haven’t added a second factor. You’ve added a second field in the same database.

Phishing resistance drops

One of the strongest benefits of a separate authenticator is that it breaks the phishing chain. A phishing site can capture your password, but it can’t reach into a different app on a different device to get the TOTP code. The attacker has to compromise two systems, not one.

With TOTP inside your password manager, auto-fill happily supplies both. The phishing site gets your password and the 2FA code from the same auto-fill action. The security boundary that was supposed to protect you never existed.

A separate authenticator — especially one with push approval — adds a physical step: you see the site name on your phone and actively choose to approve. This is much harder to phish than an auto-filled code.

What NIST says about factor independence

NIST Special Publication 800-63B (Digital Identity Guidelines) explicitly addresses this. The guidance is clear: authentication factors should be independent of each other. Compromise of one factor should not lead to compromise of another.

“The verifier SHALL verify… that the claimant controls each authentication factor.”

The spirit of multi-factor auth is multi-channel auth. Password in the browser, TOTP on the phone. Two different attack surfaces. The NIST framework doesn’t work when both factors go through the same channel.

The convenience trap

The argument for TOTP in your password manager is always convenience. And it is convenient — genuinely. No app switching, no code copying, no 30-second timer anxiety.

But this is the wrong trade-off for security-critical accounts. Convenience and security are sometimes in tension, and MFA is one of those cases. The slight inconvenience of a separate app is the security model working as intended.

The good news: the inconvenience doesn’t have to be that bad. With push-approve auto-fill, you approve on your phone and the code fills in your browser automatically. It’s nearly as fast as password-manager auto-fill, but the factors stay separated.

”But my password manager is encrypted”

Yes, and that’s great. We’re not saying password managers are insecure. 1Password, Bitwarden, and others do excellent work on encryption.

The issue isn’t the quality of the encryption — it’s the blast radius of a single compromise. Your password manager is one of the highest-value targets on your device. If it’s compromised, you want to limit the damage to passwords. Adding MFA codes to the same target increases the value of that single attack without increasing the difficulty.

Separate systems mean an attacker needs two separate wins, not one.

The better setup: separate apps for separate factors

The architecture that multi-factor auth was designed for:

  • Passwords → password manager (1Password, Bitwarden, etc.)
  • 2FA codes → dedicated authenticator app (FactorCat, etc.)
  • Two devices — password manager on your laptop, authenticator on your phone

Each factor has its own attack surface, its own unlock mechanism, and its own recovery path. Compromise of one doesn’t give you the other.

How FactorCat fits

FactorCat is a dedicated MFA app — it doesn’t store passwords, and your password manager doesn’t need to store TOTP codes. They stay separated by design.

What FactorCat adds over a basic authenticator:

  • Push approval — your phone approves, your browser fills the code. No copying.
  • Auto-fill — the browser extension fills the 2FA code after approval. Nearly as fast as password-manager auto-fill, but the factors are separated.
  • Cloud Vault — cloud sync and easy recovery without compromising factor separation
  • Locked Vault — zero-knowledge encryption for your highest-value accounts

The extension never stores TOTP secrets. It only receives the computed 6-digit code after you approve. Even if the extension were compromised, the attacker gets one expiring code — not the secret.

For the full comparison with 1Password’s built-in TOTP, see FactorCat vs 1Password.

Keep your factors separated. Download FactorCat — it’s free for up to 50 factors.

Get FactorCat

Available on iOS, Android, Chrome, Firefox, and the web. Free for up to 50 factors.

Get started free See platforms