> if you're satisfied with first and second factor living in the same spot

It’s no longer “2FA” then.

It is still 2 factor, breaching the password manager is a corner case that you can decide to cover or not. It seems like for critical accounts you should NOT. For derived accounts, it should be better than just a password.

Only very marginally so. Or what would you say storing a (unique, long) password next to a TOTP hash actually achieves?

Well the totp (even in your passwd manager) defends against phishing I'd thought vs password alone.

For a "service based" password manager, sure. (It can prevent the service from ever handing over your encrypted database to an attacker.)

In a local password manager, it doesn't work like that. A challenge-response mechanism can help there, but the cost/benefit analysis looks pretty different there, IMO.

Eh, it's still a lot better than sms 2fa.

What about 1password is inherently safer though?

I'd suggest reading their security page[0] and write ups others like Troy Hunt has done[1][2].

[0] https://1password.com/security/

[1] https://www.troyhunt.com/have-i-been-pwned-is-now-partnering...

[2] https://haveibeenpwned.com/1Password

What exactly about 1Password is safer, including their cloud hosted options?

Curious as I may look at multiple options.

What exactly about 1Password is safer, including their cloud hosted options?

Curious as I may switch.

This costs a monthly subscription.

I mean we're talking about a monthly fee that is less than a cup of coffee, it's not exactly an exorbitant amount

I don't pay for coffee either.

...and you eat only what you kill with bare hands right?

Good. When it comes to hosted options, this is one I'd rather pay for to ensure long-term sustainability.

If nobody is paying, they are probably the product.