You’re right, but if they have your password manager, they likely have your phone, and that means they have your Aegis too.

Still, my suggestion is less of a second factor unless you have 2fa on your keypass, so not best practice.

Keepass can replace Aegis for TOTP

That really is nice, right? I also like when my apps have no mechanism to connect to the internet, so you don’t have to worry about trackers, data exfiltration, etc.

This is correct. The folks adding these trackers to their sites usually have little to zero tech knowledge. They see a plugin or other way to provide them with the metrics they think they need and its “so easy” to use tag manager or the Facebook pixel.

I knew someone working for a nonprofit that was building out a form for indigenous troubled families, and they used both google and meta tools. Their intended cohort actively avoided it based on their initial finding that it was tracking them (they apparently had a tech person on their side of the table). This prompted a whole board level meeting, which resulted in the removal of the trackers, which were later re-added in another,less skeevy way, after the data they wanted stopped flowing) and the immediate enrollment in the program by hundreds of families.

In the end, they decided they need those tools, as alternatives were to clunky for them. Google and Meta make it seem easy for you, since they have much to gain and little to lose by making their data collection tools easy to implement. I went round and round with my friend about how bad this was, and they got it, but their higher-ups overrode them.

And Meta and Google lived happily ever after…