[gchamonlive]

It's better than not having 2fa, but a breach to your password manager would give any attacker full control over your accounts.

A better approach would be to split in two solutions where you store passwords and 2fa keys.

I use bitwarden for passwords, but save all 2fa in aegis. These two have different 5 word passphrases prefixed with a regular 8 char password to increase entropy. I save a backup of the 2fa db to a replicated storage with a synthetic password. For bitwarden I delegate persistence of the data to bitwarden, but it would make sense to take encrypted backups regularly.

The disaster recover protocol is to have a smaller 2fa encrypted database printed in paper. I know the password to this db. Recovering this DB gives me access to bitwarden and the cloud storage, which gives me access to the rest of my password and keys.

[kcartlidge]

Similar - I use Bitwarden for passwords and Authy for 2FA so a compromise of only one of them is not a disaster (assuming a site supports 2FA which my important ones largely do).

[gchamonlive]

Authy is nice because it takes care of replication, but once you have all your devices synced I'd disable adding new devices, otherwise it'll expose your 2fa in case of SIM card breaches