dgzeij
...password and 2FA cannot be in the same app or vendor.
Everyone has their own unique priorities + threat model, to be sure. However, unless you are a high-value target and/or holding keys to high-value assets, there is very little to be gained in not storing 2FA secrets and PWs together in a properly secured DB.
To be clear, you shouldn't even store 2FA seeds on the same device as the one used to access accounts if you fall into the high-value category. But for most folks, secrets and PWs will be available on a primary device, usually managed by two separate apps.
Why not then store them all together?
In my case, I store all with KeePass and everything is securely auto-typed by Magi-Keyboard. This huge convenience overwhelmingly surpasses the scant security advantage of using two apps. For an attacker would need to steal my DB and crack (or otherwise access) it. Meanwhile, TOTP still secures against the following:
Password breach of the sites/apps/services that I access.
Keyloggers on untrusted devices, assuming manual entry -- you wouldn't have anything sensitive stored here.
Network captures on open WiFi networks, etc.
Phishing, social-engineering, etc(?).
Some would argue, "But...having TOTP seeds stored separate from the rest gives you more security because 2>1!"
Brash oversimplification, I say. Why not then store every single item seperate in a respective DB (little bit tongue-in-cheek, but I think you get me)? Again, if your threat model includes attacks sophisticated enough to breach one reasonably secure DB on a device, two doesn't seem quite so much greater then, in that case.
(E:typo)