Issue
Can I use TOTP codes generated by a password manager?
Resolution
As a best practice, use verification methods like a mobile app or a physical security key because they exist separately from a user’s laptop or workstation. This way, if a bad actor manages to gain access to a user’s computer, the user’s second factor isn’t also compromised. Many password managers allow users to generate time-based one-time passwords (TOTP) for MFA authentication.
Use this capability only from password managers that are accessed from mobile devices, or if the password manager itself has MFA protection (for example, using biometric authentication).