So I've got a question. Isn't using a password manager with unique, big, long, randomly generated passwords per site essentially the same as two-factor authentication? Something I know (the master password) and something I have (the encrypted password list). The password list lives on my laptop, on my phone, etc.
Furthermore, when I use 2 factor auth, I end up storing the lose-your-phone recovery password in the password manager anyway, so I'm probably missing the point of the SMS-, token- or Authy- based validation anyway.
No. Here are two differences between a password manager and 2FA:
1. A password manager will prevent someone from hacking into a website you use, stealing your password, then logging into another website as you. 2FA won't prevent this because someone who hacks into to a website can get access to the unique random seed that is used to generate the 2FA sequence, and can then use brute-force to determine your password.
2. 2FA will prevent someone from infecting your computer with a virus, stealing your password as you type it in, then using that password to log in as you in future. A password manager wont prevent this because the virus will gain access to both your main password and the list of encrypted randomly-generated passwords.
Re 1: If a.com is hacked, only a.com's OTP seeds are compromised. b.com should (hopefully) use different seeds, so 2FA still prevents someone from logging in.
