Dangit I just finished migrating from Lastpass and moving all of the TOTPs into Bitwarden. I was worried about losing access to the TOTPs in the event of a broken phone, so both LP and BW's cloud backup of the codes seemed like a good idea.
The article makes sense and I see the flaw in keeping them both in one place. Wish I'd thought that through.
Related: did you know you can use multiple apps for that TOTP code? Just scan the QR code in App A, then scan the exact same code in App B. That + Yubikey 5's TOTP app means two identical copies of the codes on two different media. Approaching a decent backup scheme.
I wouldn't recommend keeping your TOTPs in Lastpass Authenticator at all. That's worse than having them in Bitwarden given Lastpass's track record. If you want something with cloud sync that isn't your password manager, maybe try Authy? (I don't recommend Authy, but it would be an improvement.)
IMO it makes sense to have most of your TOTPs in Bitwarden - anything that isn't critical. The reduced friction means you're more likely to enable TOTP 2FA for every account that you can - net increase in security compared to not having it at all.
For your critical accounts, I recommend securing them with your Yubikey via U2F / WebAuthn if possible. If not, then use your Yubikeys to store the TOTP codes. If you need/want a better backup than a second device, you could consider literally writing them down or backing them up into a Veracrypt encrypted container. You could also use an open-source, local-only TOTP app like andOTP/Aegis on Android or Tofu/OTP Auth on iPhone.
Aegis [0] is a much better alternative to Authy if having backups is a must (and even if it isn't too), specially because you will be in control of these backups. If you are on iOS Raivo [1] is a similar alternative that provides encrypted backups to iCloud.
Yeah IMHO setting up the TOTP on multiple devices is a good idea. I also save the setup key along with the recovery codes so that I can easily set up new devices if I need to (plus I have seen some cases - ie Facebook - where the recovery codes don’t work). I guess this is marginally less secure than storing just the recovery codes, because if someone finds my backups they can now generate infinite tokens, but if that happens I probably have worse problems to worry about.
You can also export codes from Google Authenticator to a second device now, which I used for backing up my 2FA codes onto my iPad. Great way to have a backup when necessary without meaningfully decreasing security (just make sure to test your backup occasionally!)
The article makes sense and I see the flaw in keeping them both in one place. Wish I'd thought that through.
Related: did you know you can use multiple apps for that TOTP code? Just scan the QR code in App A, then scan the exact same code in App B. That + Yubikey 5's TOTP app means two identical copies of the codes on two different media. Approaching a decent backup scheme.