Does anyone have a description of something manageable?
So just waiting for the password won’t be enough
Agreed, but I think using the same device to access your password manager and for dev is asking for trouble in the first place.
Password managers assumes a non-compromised device. I don't think there exist a password manager that is explicitly designed for a compromised/hostile device.
A password manager + built-in TOTP on a dedicated device is fine for most general usage. Important TOTPs can go to Yubikeys.
UPDATE: also gotta keep track separatelt of non-resident passkeys tied to Yubikey, because Yubikey doesn't know where it was used for non-resident. If you lose one yubikey, need to sync all passkeys to a new replacement one.
Though I think there is also the option that sites can store some sort of identifier on the key, then this would not work:/
That seems somewhat unrealistic? There are many passwords you need to use as part of dev work.
I suppose the inverse would be starting with a device that offers TOTP/MFA, and then making your password-manager/vault somehow available on that same device. In either case, bringing them together makes it easier for an attacker to compromise both at the same time.
On reflection, I've never actually put my (personal) password vault on my phone, but that may be less of a conscious security stance than fulfilling a millennial stereotype, where certain tasks (like big purchases) are reserved for "a real computer."
Closest I've gotten is having my USB backup keychain in the same pocket, so I could get to it in an emergency, but it's inconveniently air-gapped.
i also force most apps on iOS to ask for face id (long press on app icon to set this).
use intentional spelling mistakes in your password vault, edit the password by hand. you also need to have some way of authenticating login components to be sure your running your version of login, and not a trojan login.