I read your requirements and threat model further down the thread, which is really helpful when thinking about possible solutions.

Before being comfortable recommending anything, I have question about GitHub's 2fa implementation here, which others may be able to answer.

Without 2fa, an account can be accessed if you compromise the password (which might be long and high entropy or equally might be terrible) but not otherwise.

If totp (or sms) 2fa is enabled and the 2nd factor is compromised but the password is not, is there any action that can now be performed against the account which couldn't previously, when 2fa wasn't enabled?

My question is essentially: is the 2fa purely extra security, or is it trusted without the password in any situation? If I publish my text messages world-readable in real-time and post the TOTP key in the local newspaper, is my GH account still secure provided the password remains as secret as it was previously?

I use FreeOTP on mobile https://freeotp.github.io/ : it's another device than my computer (storing this on the same computer kind of defeats the purpose), Free, seems trustable, practical, works with all the sites that need it. (edit: link)

I looked at FreeOTP, but it doesn't let me export keys, so it's not what I'm looking for.

If you're importing the key into FreeOTP, you could just take a second copy of the key to store elsewhere too? TOTP keys are just short base32-encoded bitstrings.

I personally use Proton Pass' (browser extension and mobile app) OTP feature. Yes, it is (primarily) a password manager, but it can add OTP keys without a password. I would have reccommended GNOME Authenticator, but it corrupted my OTPs and couldn't start.

I use Aegis[1] on mobile and OTPClient[2] on my computer, both are regularly backed up on change.

I do not use the TOTP feature in my password manager as feel it will defeat the purpose of 2FA (though I can split it to a new DB in KeePassXC).

For my work, the company uses a proprietary password manager, I just don't install it in any of my personal computing devices.

- [1]: https://github.com/beemdevelopment/Aegis

- [2]: https://github.com/paolostivanin/OTPClient

Dealt with it a few hours ago. Because of GitHub, as well.

I chose KeePassXC on the desktop. It has a database which you can move around, backup it. There is an app for Linux and MacOS 10.13+ (because of Qt5). For iOS, a quick search shows up something called KeePassium.

These apps seem to work with a certain database format (kdbx), so for sync you might need to place the database somewhere online (iCloud, as an example). Otherwise, you might not need syncing if you don't add 2FA accounts to your database that often.

I use andOTP[0] which auto-exports an encrypted backup to a local folder, which is then synced with Syncthing[1] to my NAS.

It's seamless and doesn't need an internet connection.

- [0]: https://github.com/andOTP/andOTP

- [1]: https://syncthing.net/

You can try this: https://www.themooltipass.com/

It's a hardware device with TOTP support. It works as an USB/Bluetooth keyboard and will type passwords for you.

Completely uninterested in a hardware device.

While you're busy shooting down perfectly good recommendations, perhaps it would be helpful for you to explain your threat model and security considerations. Because the way you're planning to shove your secrets into your password manager is reducing your 2FA to 1FA, after all. Furthermore, your demand for exportable secrets is defeating most of the security of TOTP secrets. High-quality authenticators don't make any provision for exports.

So if you just want some security theater and you just want to tick the box that reads "2FA" and you don't actually want more security than a username and a password, then knock yourself out, and do what you propose, but I'm not going to be here suggesting anything better for you.

My threat model is: I'm perfectly fine with the security of just using a password manager and I have no need for the additional security provided by 2FA but GitHub will lock my account if I don't add 2FA, so I'm trying to find the least impractical and way to add 2FA with the lowest chance of accidentally locking myself out of my account due to losing a hardware device or phone.

My absolute requirements are:

* I must be able to log in without a phone. I will not let Apple be the arbiter of whether I'm allowed to log in to my accounts or not.

* I must not have to carry around an extra hardware device everywhere I go.

* I must not get locked out of my accounts if I lose a device.

* I must be able to log on to random other systems (other people's computers, temporary VMs, whatever), though in these situations, having to rely on a phone is acceptable.

* Whatever solution I pick must not include switching password managers or depending on some closed source service.

These requirements are pretty tough to meet. The above answer about using KeePassXC on desktop, and syncing the db to your phone is probably the best solution, as it meets every requirement except not switching password managers.

If you like Bitwarden, it will do what you want if you pay for their premium account. If you don't want to do that, you can host your own bitwarden server (I think that this implementation does 2FA, but I'm not positive:

https://github.com/dani-garcia/vaultwarden

Raivo is another option on iOS.

https://github.com/raivo-otp/ios-application

I use Bitwarden's TOTP feature for all the sites where 2FA is mandatory, which is trading websites in my country.

I use oathtool to generate totp and copy it with xclip or pbcopy. You can take back up of this bash script anyway you like

I put this together to do it with one command: https://github.com/ohyhyb/totp

I don't think I can do that on iOS.

1password and Raivo on iOS as a backup