Wow, this might be the answer to a question that's been bugging me for a while!
It didn't seem right to keep all of my TOTP secrets isolated on one easily lost/stolen/broken device (phone), so when I realized KeePass supported generating TOTP codes I moved all my TOTP secrets into my password database (which is synced around all my devices) then deleted the single-purpose authenticator app as unnecessary.
But then it didn't seem right to have all of my TOTP secrets live in my normal vault with my credentials since that loses the "second factor". Nor did it seem like it would help to make a separate database for TOTP secrets and sync it around too - still no second factor, plus added friction to open both databases on every login.
But as you say, I could keep TOTP secrets in two places - in an authenticator app on my phone with no syncing for daily use (keeps the two-factorness cause it's on a single device, and is low friction cause it piggybacks on the security of my phone and doesn't require a separate login) AND in a TOTP specific password database that's synced around but opened only rarely (in the cases you described).
Thanks for the hint about tuning hashing rounds; didn't know that could be configurable! Looks like KeePass supports that too; I'll look into that.
Wow, this might be the answer to a question that's been bugging me for a while!
It didn't seem right to keep all of my TOTP secrets isolated on one easily lost/stolen/broken device (phone), so when I realized KeePass supported generating TOTP codes I moved all my TOTP secrets into my password database (which is synced around all my devices) then deleted the single-purpose authenticator app as unnecessary.
But then it didn't seem right to have all of my TOTP secrets live in my normal vault with my credentials since that loses the "second factor". Nor did it seem like it would help to make a separate database for TOTP secrets and sync it around too - still no second factor, plus added friction to open both databases on every login.
But as you say, I could keep TOTP secrets in two places - in an authenticator app on my phone with no syncing for daily use (keeps the two-factorness cause it's on a single device, and is low friction cause it piggybacks on the security of my phone and doesn't require a separate login) AND in a TOTP specific password database that's synced around but opened only rarely (in the cases you described).
Thanks for the hint about tuning hashing rounds; didn't know that could be configurable! Looks like KeePass supports that too; I'll look into that.