[Fishkins]

> I guess this depends on your threat model. In what cases would your password vault be compromised, but your TOTP vault still be secure?

If Bitwarden is compromised, like LastPass was. Of course the vault should still be encrypted, but I don't want to rely on a single company managing everything correctly. It seems much less likely that two different companies will be compromised at the same time.

[EasyMark]

that's been my attitude, both are keyed to my face id, otherwise encrypted. my phone times out really quickly if i'm not typing away on it. I feel relatively safe. I wonder though how much longer they will maintain the phone apps. All my desktop versions are verified from my phone, so them dropping the desktop sucks but isn't catastrophic.