Threat models for storing passwords, TOTP and passkeys in a single password manager?

SomeRandomPrivacyUser: > I’m not too worry about (1) as I always keep the database offline and share it between iPhone and Linux through USB cable. Off-topic but if these are your only 2 copies I strongly suggest creating a third backup on a flash drive stored somewhere away from your home. SomeRandomPrivacyUser: > If my iPhone gets compromised, I doubt having TOTP and passwords in separate apps will mitigate anything as the malware can just get the info from both apps. So there is no much difference in keeping TOTP, passwords, and passkeys in a single database on my phone. If instead you stored your passkeys on actual hardware (smartphone or security keys) malware generally shouldn’t be able to retrieve your private key. Attackers can sit in as a man-in-the-middle for as long as your device is compromised but they’d lose that ability once you remove the malware which sometimes might be as simple as restarting your phone. SomeRandomPrivacyUser: > In the case of my Linux machine being compromised, then the malware can just wait until I decrypt the database and log everything (then I’m screwed). However, even if I have TOTP or passkeys on a separate device (e.g., my phone), couldn’t the malware just wait until I login to the sites and copy my password, TOTP code and passkeys when I have to enter them? Would it make any difference if I had MFA on a different device even? Similar to passkeys stored on hardware, they can sit in as a MITM on your laptop but lack the actual secrets (stored on iPhone, YubiKey, etc) to gain persistent access to your accounts thus making the account compromise temporary. In a world where they retrieve all your credentials (which is trivial if it’s all in 1 database) they may be able to steal your accounts without any hope of you recovering them.