I agree that U2F is generally a more secure 2FA solution than soft tokens on a phone. If you use U2F (hardware), then what are you storing in your password manager (software)? Maybe, the 2FA secrets for sites that don't support U2F yet? If so, care to share which sites you use frequently that do not yet support U2F?

Also, which password manager do you use? I ask specifically because if it is a popular commercial option (1password, LastPass, Dashlane), then your attack vector on your password vault is larger than just local malware. It also includes remote attack directly on the servers of the commercial company. Sure, your vault is encrypted on their servers, but if a hacker gets their hands on your encrypted vault via malware on your system or via their remote servers its the same outcome: they have your encrypted vault and can start to work on it. Make sure that your vault password is really strong so that it cannot realistically be brute forced (I'm sure you already know that).

well 1password has wifi sync, and also sync via icloud/dropbox, so unless you use their built in service, it’s not really an issue (at least for targeted attacks)

also, they store the vaults encrypted anyway; you unlock it locally with a password, so even with a hack you still are reasonably safe.

can’t comment on others

>Maybe, the 2FA secrets for sites that don't support U2F yet?

That, yes, I put the 2FA secrets in there. They're also on my phone but I believe these are mostly outdated now since I tend to swap 2FA secrets about once a year.

>Also, which password manager do you use?

I use KeepassXC, it's a C++ implementation of Keepass which has excellent cross-platform support (Linux and Windows both work very well) and has integrated Keepass HTTP.

I sync the password database to my selfhosted Nextcloud instance (hosted on a OVH dedicated server) and use a password with about 50 characters in length (I use XKCD style passwords with about 10 words in there)

> there are plenty of services without proper 2FA (looking at you paypal, amazon and my email provider)

PayPal and Amazon both support TOTP, including for all support contacts, but it’s hidden. Personally, I’ve enabled these.

Paypal only supports SMS 2FA for me, I've checked last week again. Might be different depending on nationality.

SMS 2FA is not acceptable and not secure.

I also don't recall Amazon (Atleast shopping side) having 2FA either but it's been a month since I checked.

FYI, Amazon (retail) does support TOTP. Here is a direct link to the 2FA settings so you don't have to crawl through the account settings page looking for it: https://www.amazon.com/a/settings/approval.

That seems to only work for the US page but the german login seems immune to this setting.

Nope. The German login works fine with thus — I've been using it on Amazon.de for years.

Paypal supports TOTP everywhere, but it’s hidden on a page not reachable via any of their sites, in their old site, and you need to run a custom python script to even generate the token you want.

Wow, that is horrible. Given that, I would argue that, for all intents and purposes, they do not support TOTP then. An average user has zero chance of doing all of that correctly. Bummer the don't support it as a first class citizen in their security UX on their main site.

Care to share a direct link to the TOTP configuration site though?

This repository contains the software required to generate the TOTP URL from the info PayPal provides to you, as well as the site you need to get to: https://github.com/claudiodekker/symantec-vip-otp-generator

And a blogpost explaining the backstory: https://www.cyrozap.com/2014/09/29/reversing-the-symantec-vi...

For all I care, that means not supported.

Well, we’re on Hacker News here, aren’t we? In that way, it is "supported", for the people that are frequenting this site.

But sure, for the average user, it’s basically useless.