The odds of your lost phone landing in the hands of somebody who is going to spin up a bitcoin mining farm on your AWS account is miniscule. A much, much more likely risk is one of your accounts getting compromised by some dude running a botnet using a list of a million leaked credentials.... if you have 2FA on the site the botnet is targeting, you are immune from compromise.
Besides, my phone as the ability to do a remote wipe. It is effectively a bricked door stop until they can log into the phone.
> Besides, my phone as the ability to do a remote wipe. It is effectively a bricked door stop until they can log into the phone.
If they got your TOTP seeds you're in race seeing whether the person who {compromised,stole} your phone can disable your ability to do that first and since a remote wipe requires network access they can simply ignore it and reuse your credentials until you change them.
What all of these have in common is that multi-factor authentication is based on having separate factors. If you store your passwords in the same place as your TOTP seeds, you have one factor rather than two. You might decide the risk is acceptable but that should be a carefully reasoned decision, which was … not apparent … from the comment I was replying to.
Besides, my phone as the ability to do a remote wipe. It is effectively a bricked door stop until they can log into the phone.