I mean where am I supposed to store the recovery key if not in my password manager? My dropbox surely isn't better encrypted than my bitwarden. I work with the assumption that my password manager is the least insecure piece of data storage I use.
I really don't get it. How isn't 2FA just security theater if we're all supposed to store the recovery keys "somewhere safe"? Can we really expect people to deal with recovery keys in a more responsible way than they do with passwords?
The average-case person is going to ignore the generated keys because they are deluged with nonsense every day and can't filter out what is important anymore. Lots of people will get locked out of accounts before they learn that there is now yet another unwanted tech bureaucratic layer to take seriously.
I'm guessing in 5 years it will be normal to set up security questions for 2fa recovery keys. Or we'll add another 2fa for 2fa key recovery. The adding of layers will continue until we are all "secure" and we'll all have to ask for our misplaced keys from the NSA.
My password manager (keepassxc) supports multiple databases. I store all TOTP recovery codes in a separate database (and with a different unlocking password) from the one that has regular passwords and the TOTP secrets.
All my databases are backed up on someone-else's-computer, but I only keep the regular-passwords-and-TOTP-secrets database synced to my devices.
In practice, 2FA is just another password anyway. What it really helps with is password reuse.
