In other words: Is saving or using the two-factor authentication (2FA) secret on the same machine to generate one-time passwords (OTP), breaking the two-factor authentication (2FA) concept since it's all done on one machine.
KeePass has some plugins that facilitate this:
There are also tons of browser plugins that faciliate this, which seem even more insecure in my opinion and there is even a HTML5 version.
Yes. Concept of two factors is to authenticate using any combination of the below methods
If you hide both of them under third password (or even without password), you are weakening the whole concept. If the attacker can get through this single password, he got complete access (that would not happened with proper 2FA).
But people are lazy and therefore these plugins exists. The need to use 2FA might be also triggered by some security policy and the users might not see the benefit of it.
When you are using OTP based on HOTP or TOTP locally you need to store the seed somewhere. So you store the seed on this local machine.
Now it depends on your threats.
This may very well protect you against shoulder surfers or maybe keyloggers. But it will not protect you against local attacks. But the question is, if you do not have a bigger problem, if someone is able to perform a local attack.
If you try to use OTP for encryption, this is just eye candy. You are encrypting things to protect against local attacks. You encrypt your harddisk, because you want to avoid an thieve getting into your data. You are using keepass, because you want to avoid a thieve who is grabbing the file to access this file.
How does encryption work? You have a symmetric AES key which is either encrypted by your passphrase or which is generated out or your passphrase. Everyone would choose the first, to be able to change the passphrase. The threat is the physical theft of your file. ...protected by your passphrase.
So as @Jakuje pointed out: How should OTP help you? You need to store the seed. How would you protect the seed against a thieve with local access? Encrypt it! How? With a passphrase? => only one factor.
You could however create a more complex scenario with HOTP (not TOTP!) and encrypt the seed with the next OTP value. Then, the next OTP value will decrypt the seed, next time you want to access your data. THen you need to reencrypt the seed with again the next OTP value. But I would recommend a lot of safeguards, because to many blank presses will give you a OTP value, which will not decrypt the seed anymore...
If it breaks 2FA authentication or not, depends on the implementation. Those implementations you specify do remove the "2factor" out of 2FA and reduce it to single factor (the seed then becomes like a second "password" to your account). Same applies to using a soft-token in a Android/iPhone unless the token specifically uses secure Android Keystore bound to hardware.
However, there is implementations where the storage of the seed is actually secure. One example would be storing the key in a TPM (Trusted Platform Module) in such a way codes can only be generated, the seed can never be recovered from the TPM.
Another example is a Yubikey Nano permanently inserted into a USB port. A third example is a builtin Security Chip on certain Intel processors, that can be used for 2FA: http://www.intel.se/content/www/se/sv/architecture-and-technology/identity-protection/identity-protection-technology-general.html
When the token is securely stored, it does not negate the 2FA, as in that case, your machine is somewhat securely bound to the service in question, such as even if you machine becomes compromised, the 2FA is not permanently compromised, only temporarly compromised (eg, the attacker can still use your machine to generate codes, but not gain sufficent information to itself generate codes without your machine). If you recover from the machine compromise, this means that you can continue using 2FA even if the seed is not changed.
