>Agreed, but I think using the same device to access your password manager and for dev is asking for trouble in the first place.

That seems somewhat unrealistic? There are many passwords you need to use as part of dev work.

That’s a good point.

Maybe a good compromise is to use 1pw for most TOTP but keep your gmail / iCloud and a few others in an iPhone only app?

Gmail is what scares me the most. It’s basically keys to the kingdom.

But it's a hassle to have at least 2 yubikeys in case you lose one. And since you regularly sign up for new websites with OTPs, gotta keep them in sync. So always carry both with you. And if you carry both, then it's easy to lose both at the same time.

UPDATE: also gotta keep track separatelt of non-resident passkeys tied to Yubikey, because Yubikey doesn't know where it was used for non-resident. If you lose one yubikey, need to sync all passkeys to a new replacement one.

> I don't think there exist a password manager that is explicitly designed for a compromised/hostile device.

The crypto people tried this with hardware only password managers but they were too annoying. I have a halfway solution of using pass with Yubikey/GPG where each password decryption requires a touch. It does protect against the entire vault being decrypted at once and exfiltrated.

> Important TOTPs can go to Yubikeys.

Once you have a Yubikey (preferably two, so you have a backup if you damage/lose one) - you may as well make _that_ your primary MFA method, and only use TOTP for services you can't enrol your Yubikeys on.

> Agreed, but I think using the same device to access your password manager and for dev

Almost all development I do, and most others, are on our projects or projects we're at least interested in, and most likely dove into, that's why we're developing in them in the first place.

In this case, it seems like the developer wasn't actually developing anything, but playing around with image generation on his time off, for fun, and ended up pulling down a random 3rd party thing and got compromised that way. Very different from "for dev" I'd say.

Besides, didn't most developer start isolating projects from each other when the first npm worms started to appear? I know I stopped running `npm install` in the same environment I do my banking, and drastically reduced the amount of random 3rd party stuff I have, still use all the same device though. Even have a Windows install on the same computer, booo!