I memorize the seed and calculate the next token in my head.

Passwords in KeePass, totp in Aegis.
My phone does have both, but they each have their own encryption.

I throw them all in Bitwarden which is protected with a long, unique password and a yubikey.

In the case of Keepass, it is commonly said that it is best to have a database exclusively for your OTP.

For example, you have your passwords in a db called “My passwords” with an exclusive encryption password, and then another db called “My OTP’s” with its own encryption password, so if someone somehow get access to one, that person still won’t have access to the other, and therefore cannot enter your account.

Hardware keys for everything. Bitwarden for the rest.

Honestly a big debate, so it really depends on your threat model. Lots of people even keep their totp seeds within their password manager which basically defeats 2fa imo, but it’s highly convenient. Personally I keep my totp seeds seperated in a sandboxed user profile.

Aegis with the password in a YubiKey.

My password manager and I don’t know the password.

Depends on what is secure enough to you. For me that is secure enough but I know a ton of people out there who would say it’s not secure enough for them. So in the end it’s up to you. Think about the risks and make a decision.

I might keep the in Bitwarden, then secured with hardware key.

Well, the whole point of otp tokens/2fa, is to have a second login confirmation. Mostly on another device, like a phone.

Now maybe if you store your 2fa way on the same device, but locked away with a strong password, it may work, and could be safe enough.

But if it’s the same password as your device or another account, it isn’t that safe.

deleted

Yuibkey authenticator app looks good. All tokens are in the hardkey.

deleted by creator