I was reading your other blog post about storing them in bitwarden I have to disagree with this point:

> Unless you were forced to by some organisational policy, there’s no point setting up 2FA only to reduce the effective security to 1FA because of convenience features.

2FA both stored in your password manager is less secure than storing than separately, but it still offers security compared to a single factor. The attack methods you mentioned (RAT, keylogger) require your device to be compromised, and if your device is not compromised 2fa will help you.

To slip into opinion mode, I consider my password manager being compromised to be mostly total compromise anyway.

Also I really like the style and font of your blog.

> To slip into opinion mode, I consider my password manager being compromised to be mostly total compromise anyway.

But how is that no the entire point? If your 2FA is a proper device, like a Yubikey, the attack surface is tinier than tiny and the device ensures that your secret never leaves the device.

We did see cases of passwords managers getting compromised. We haven't seen yet a secret being extracted from a Yubikey.

So where you say you consider that your software (password manager) getting compromised is total compromise, we're saying: "as long as the HSM on a Yubikey does its job, we have actual 2FA and there cannot be a total compromise".