Should I store TOTP codes in my password manager or use a separate authenticator

The argument for separation: two-factor authentication protects you when your password is compromised. If both factors live in the same vault, a single point of compromise — your vault being unlocked or stolen — provides an attacker with both. The second factor stops being a second factor.

The argument for consolidation: for most users, the realistic attack scenario is phishing or credential stuffing, not vault compromise. TOTP codes in a password manager are encrypted alongside passwords; an attacker who gets your vault backup still needs to crack your master password to access either. And a user who abandons 2FA entirely because managing two apps is too complex is materially less secure than one who stores TOTP in their vault.

• The circular lock-out risk is concrete — if your vault is locked and Bitwarden is also your TOTP source for the email account you use to reset passwords, you can create a scenario where you cannot get in to anything
• Hardware keys eliminate this trade-off — FIDO2 hardware keys provide a genuinely independent second factor without the TOTP-in-vault compromise; supported by Bitwarden, Keeper, NordPass, Dashlane, and Proton Pass
• Bitwarden and Proton Pass store TOTP codes in the same encrypted vault as passwords — the security is as strong as the master password and vault encryption

• Vault lock-out during TOTP dependency — if your vault is locked and the TOTP source for your email recovery address is inside that vault, you can create an unresolvable circular dependency
• Single point of compromise for high-value accounts — for banking, work systems, or accounts with significant consequences, a dedicated authenticator app (with its own PIN or biometric) provides meaningful additional protection
• Backup complexity — TOTP seeds in a vault are backed up with the vault; dedicated authenticator seeds require separate backup. Neither approach is uniformly better, but the backup strategy differs

Bitwarden stores TOTP seeds in the vault and generates codes at login (Premium). The integration is seamless. The circular lock-out risk is real and documented — Bitwarden's own help pages address it. Recommendation: do not store TOTP for your primary email or Bitwarden recovery account inside Bitwarden.

Proton Pass has built-in TOTP generation as a first-class feature. It also integrates with Proton's hardware key support for the Proton account itself — a coherent approach where the password manager handles TOTP for most services, and the most critical account (Proton) is protected by a hardware key.

Keeper stores TOTP codes and generates them during autofill. Enterprise deployments can enforce hardware key requirements for privileged accounts while allowing TOTP in the vault for standard credentials.

Bottom line

For most users, TOTP in the password manager is a net security improvement over not using 2FA at all. The concrete mitigation: use a hardware key for your most critical accounts (email, work), and let the vault handle TOTP for everything else. Do not store TOTP codes for accounts you would use to recover the vault itself.