> How is it secure if the only thing an attacker needs is a single method of accessing a single device?
You should have two-factor for your password vault as well, and that TOTP is stored on a separate device.
In other words, you replace the model of having password+TOTP for every account, to having one password+TOTP for your password vault, and effectively treat that password vault as an authentication service for yourself.
You should have two-factor for your password vault as well, and that TOTP is stored on a separate device.
In other words, you replace the model of having password+TOTP for every account, to having one password+TOTP for your password vault, and effectively treat that password vault as an authentication service for yourself.