Wonder if you could run your password manager in an isolated sandbox that couldn’t provide the secret behind the TOTP, only the current value.