1 point
You’re right if I get a virus I’m pretty cooked. Except I think to set 2fa up on the attacker’s device they’d need the phone authenticator to set it up the first time, so hopefully they couldn’t do it unless they used my computer remotely to login to websites.
But the password manager locks after 15 min and you have to put a pin in to unlock and decrypt.
I’m not sure what brute force mechanisms it has against the pin.
Re-entering the 2fa each session is annoying but it’s way better than having to do it on each individual site from my phone.