[nosefurhairdo]

Bitwarden + 2 yubikeys is my solution. I remember one password, keep one key with me, and leave one key at home.

[bloopernova]

Is there a "create duplicate/backup of yubikey" app of some kind?

EDIT: How to register your spare Yubikey: https://support.yubico.com/hc/en-us/articles/360021919459

[alwa]

Wait, they suggest saving photos of the QR codes of your TOTP secrets? That seems to weaken the concept by making it easy for an attacker 1) to identify secrets and the sites they’re associated with, and 2) to retrieve them (in plaintext, no less) with no more than access to a device’s photo roll.

I thought the idea was that we’d write the secret once to an arbitrary number of primary and backup devices, then destroy it so it can’t be stolen as easily. Although I guess password managers save TOTP secrets alongside the password factor these days too.

Does the “the secret itself is not phishable” aspect of TOTP just not actually matter in practice as much as the rapid expiration and frustrating replay attacks / on-the-wire sort of secret interception?

[ubercow13]

Having the QR in your photo roll doesn't break the 'not phishable' property.