Managing two-factor authentication with a password manager

Two-factor authentication management is one of the less obvious use cases for a password manager. Beyond storing TOTP codes alongside passwords, a password manager can serve as the canonical record of which accounts have 2FA enabled, which type (TOTP, hardware key, SMS), and where the backup codes are stored. Most people don't have this information organised, and the gap shows up when they switch phones, lose a hardware key, or need to recover an account.

The 2FA management question has three parts: where to store TOTP codes (in the vault or in a separate authenticator), how to track which accounts have 2FA enabled, and where to keep backup codes. None of these are solved by a password manager alone, but a password manager is the natural organising layer for all three.

Quick answer

You want TOTP codes stored and generated in the same app as passwords

Bitwarden (Premium) or Proton Pass — both store TOTP seeds and generate codes during autofill

You want 2FA management with the strongest separation between factors

Dedicated authenticator app (Aegis, Authy) alongside any password manager — keeps factors genuinely independent

You want hardware key 2FA for critical accounts

Any provider supports FIDO2; hardware key is managed independently of the password manager

When it matters

TOTP seed storage — Bitwarden (Premium) and Proton Pass store TOTP seeds encrypted alongside passwords. During login, the code is generated and available in the autofill flow
2FA status tracking — using a secure note or custom field to record which accounts have 2FA enabled, which type, and where backup codes are stored; helps with phone migrations and account recovery
Backup code storage — backup codes for 2FA-enabled accounts should be stored somewhere accessible if the primary 2FA method is unavailable. Encrypted secure notes in a password manager are appropriate
Hardware key audit — tracking which accounts have hardware key support enables you to upgrade accounts from TOTP to hardware key systematically

When it fails

The most important warning in 2FA management with a password manager: if you store TOTP codes for your email account inside your password manager, and you use that email to recover your password manager account, losing vault access can create a circular lock-out.

Specifically: if your vault is locked, you can't get the TOTP code for email. If you can't access email, you can't reset your master password. Net result: locked out of everything
The mitigation: keep critical 2FA (email, master password manager recovery) in a separate authenticator app — not in the vault. Store TOTP for everything else in the vault
Hardware keys for critical accounts are immune to this problem — they don't depend on the vault being accessible

How providers fit

Bitwarden — TOTP generation on Premium; backup codes stored as secure notes; hardware key support on Premium; open-source means TOTP implementation is auditable.

Proton Pass — built-in TOTP generation as a first-class feature; FIDO2 hardware key for the Proton account provides a separation between vault access and TOTP generation.

Keeper — TOTP stored in vault; enterprise deployments can enforce hardware key requirements for privileged accounts while allowing TOTP in vault for standard credentials.

Bottom line

Use a password manager for TOTP storage on standard accounts. Keep a hardware key or separate authenticator for your most critical accounts (email, vault recovery path). Store backup codes as encrypted secure notes. Use the vault as the 2FA record-keeping layer even if you use a separate authenticator app for code generation.

TOTP in vault vs. dedicated authenticator Hardware security key support Password manager account recovery