defeating the purpose of multiple factors of authentication.
No, it don’t. OTP protects the user in case of phishing. If Joe enters its login on a cloned page, the attacker will only be able to use its credentials if he acts very fast, otherwise the OTP will have expired.
It protects the user in case of credential leak too. As most users will not have a dozen different passwords for a dozen services, if one password leaks all other accounts are at risk. With OTP, even if the user have the same useless
12345678 password on every service, the attacker will not be able to compromise any account because of OTP.
If an attacker have access to Joe’s computer and he’s able to attack the password manager, same attacker already have how to replace the password manager with a trojanized version, or the browser, or install keyloggers. If he have access to the computer, it’s game over anyway, with password manager or not.
Unless you are expecting average users to have one password manager taking care of passwords, and another password manager on another device taking care of OTP tokens, having one password manager taking care of both is a good trade-off.