If your TOTP key is stored in the same place as your password, is it still in any sense a second factor?

That argument surely holds if you’ve got Google Authenticator and 1Password installed on the same device?

If someone gets your vault password and can unlock your phone, you’re toast, but SMS as a second factor is then also compromised so what usable (since this thread started as trying to sell MFA to lay people) options do you have (other than maybe a Yubikey)?

I thought Yubikeys and other hardware keys were best practice?

They might be a preference but I don’t see how they can be best practice when they’re barely supported on a lot of platforms - Firefox has some support (but doesn’t work with, for example, Github), no/limited support in Safari, no/limited support in mobile devices.

U2F on Firefox works well GitHub in my experience; it's Google that's the problem. Mozilla have added a shim to enable login to Google using a key but (due to spec deviance) if you want to add a key you still need to use Chrome :(.

WebAuthn (previously U2F) is just now gaining that support and momentum, with support both in Firefox and Android

Oh for sure, and if Safari (including iOS) gets support we'll be golden across the board [1] whereas U2F was until recently pretty much Chrome-only [2]. It just can't happen soon enough!

1: https://caniuse.com/#feat=webauthn 2: https://caniuse.com/#feat=u2f

As long as it is in a place that you 'have', I believe we can technically count it as MFA.

After 1Password introduced MFA (TOTP) support, it has been used widely in organizations in shared vaults so multiple people can share critical logins that use MFA. This of course means that if your 1Password account is compromised it's game over.