I often see how people make security decisions based on pure intuition. Can I store TOTP in my password manager? Should I use a local password manager or is a remote one OK? Is it OK to configure multiple second factors? Since I have a degree in Information Security 🤓, I think I’ll try to clarify these questions by describing the underlying theory, so you’ll have a decision framework to make educated choices.