> there are no conditions under which only one factor could be compromised without also having the other factor leaked
Man in the middle attack,
Phishing attack,
Over the shoulder attack,
Brute force attack,
Keylogger,
Http (not https) traffic sniffing,
'Breech' of the site and realisation they host their passwords in clear text on an unsecured db online.
Then there is human error; typing password into wrong site, giving your password to the tech support cold caller, telling someone your supersecret password ...
> Man in the middle attack
> Http (not https) traffic sniffing
If you can see the password, you can also see the time-based OTP, and you can use those to gain access.
> Phishing attack
> Over the shoulder attack
If you can convince someone to provide you their password, it's highly likely you'll also be able to convince them to also provide you their time-based OTP.
> Brute force attack
A successful brute-force attack on the vault (unlikely) means you've lost both your password and your OTP secret. A sucessful brute-force attack against a remote account using a safe password (re: password managers) is very unlikely!
> 'Breech' of the site and realisation they host their passwords in clear text on an unsecured db online
The password and the OTP secret themselves have no value (given that you're using unique passwords for each account). If the attacker has breached the service back-end then it's gameover anyways, regardless of 2FA for user accounts.
Man in the middle attack, Phishing attack, Over the shoulder attack, Brute force attack, Keylogger, Http (not https) traffic sniffing, 'Breech' of the site and realisation they host their passwords in clear text on an unsecured db online.
Then there is human error; typing password into wrong site, giving your password to the tech support cold caller, telling someone your supersecret password ...