[movedx]

Microsoft Authenticator - syncs your codes to the Cloud so you can pull them elsewhere (which your phone is out of action.)

[contravariant]

Last time I tried that I still had to reactivate all the accounts.

Storing them in Bitwarden is more convenient by far, but storing TOTP is a paid feature.

[movedx]

I use 1Password, but I'm not sure storing the OTP next to the password is a good idea?

[contravariant]

The idea is that you protect your password vault with 2FA and a strong password.

It slightly raises the risk in the scenario where your password vault gets hacked, but like with putting all your passwords in the same place, if you've only got 1 place to protect it becomes easier to protect it more thoroughly.

[lostmsu]

Doesn't that defeat the purpose to a degree?

[WorldMaker]

Microsoft thinks it is fine for most user's threat models because these use two stacked layers of encryption: your Microsoft account and either Apple's cloud backup encryptions or Google's. To move these codes between devices you have to login in both your Microsoft account and also your Apple or Google account in quick succession. I know on Apple devices it works in the same (iCloud) backup layer that disables other device keys so doing this on a new device will "break" access on the previous device (only one device at a time has access). (I'm not sure about Google's ecosystem.) You can't easily switch ecosystems with this. Microsoft seems to think it unlikely enough that both your Microsoft account and your device ecosystem account will be compromised at the same time that there is enough security in this depth.

[gorjusborg]

I use MS authenticator, and had the same thought.

I came to grips with the idea that I really don't care all that much if a single factor has risks as long as the other factors have orthogonal lists.

[rakoo]

There needs to be a way to sync everywhere except the device you're connecting from