[scrollaway]

On Android, I use FreeOTP; I can make backups with `adb`.

Separately, I use KeepassXC (https://keepassxc.org) and store all my 2fa seeds in a dedicated (separate) 2fa database which I keep locked. You can also keep it in the same database as your password db if you want to trade the 2nd factor for convenience but still get the added benefit of one time passwords.

[philsnow]

> I can make backups with `adb`

does it follow that an attacker can make a "backup" of your 2fa codes as well, if they get ahold of your phone for a minute or two?

[scrollaway]

Physical device access is where this kind of security ends. If someone stealing your phone just to get your 2fa codes is a threat vector for you, you should be using different/additional factors.

In any event, as was pointed out, adb needs usb debugging turned on, which needs the device unlocked to be enabled.

[veeti]

You need to authorize each adb key on the phone, so a screen lock prevents this.

[craftyguy]

No, because you can (and should) disable usb connectivity/debugging.