Several comments here suggesting that using password managers for TOTP defeats the purpose of TOTP as a second factor. I don't agree.<p>I strongly prefer other factors (U2F/FIDO(2)/WebAuthn/Passkeys/whatever) but unfortunately TOTP is still extremely prevalent. Worse is when only a single secondary factor can be registered, in which case even if something other than SMS or TOTP is available, I slightly bias away from hardware security tokens in order to have a clear recovery path. I can at least back up most TOTP keys.<p>I agree that having a second vault for TOTP seems superior but from a UX and recovery perspective it's not so clear. Are both vaults available on all devices? Are they usually unlocked simultaneously? Is it likely that one vault but not the other would be stolen? Or you have a separate device or air-gap and now the usability adds friction. It seems like diminishing returns.<p>Conversely a single vault still offers significant protection from many attack vectors, including keyloggers and phishing. Even if access is obtained via MITM'ing a TOTP, the blast radius is often limited to a single session. Many services have poor session security, once established, but many do not. And in my experience it's still nearly impossible to get rid of SMS 2FA.<p>TOTP is almost always strictly better than SMS 2FA, and storing your TOTP keys alongside your passwords doesn't really diminish the effectiveness of TOTP very much at all. Unless you have the keys themselves exposed, they're still closer to "something you have" than "something you know", at least from where I'm sitting.<p>Their main weakness is that they can be backed up or copied at all, as well as MITM'd. How I securely store them doesn't have much impact.