dale_glass

You can try this: https://www.themooltipass.com/

It's a hardware device with TOTP support. It works as an USB/Bluetooth keyboard and will type passwords for you.

mort96

Completely uninterested in a hardware device.

NoZebra120vClip

While you're busy shooting down perfectly good recommendations, perhaps it would be helpful for you to explain your threat model and security considerations. Because the way you're planning to shove your secrets into your password manager is reducing your 2FA to 1FA, after all. Furthermore, your demand for exportable secrets is defeating most of the security of TOTP secrets. High-quality authenticators don't make any provision for exports.

So if you just want some security theater and you just want to tick the box that reads "2FA" and you don't actually want more security than a username and a password, then knock yourself out, and do what you propose, but I'm not going to be here suggesting anything better for you.

mort96

My threat model is: I'm perfectly fine with the security of just using a password manager and I have no need for the additional security provided by 2FA but GitHub will lock my account if I don't add 2FA, so I'm trying to find the least impractical and way to add 2FA with the lowest chance of accidentally locking myself out of my account due to losing a hardware device or phone.

My absolute requirements are:

* I must be able to log in without a phone. I will not let Apple be the arbiter of whether I'm allowed to log in to my accounts or not.

* I must not have to carry around an extra hardware device everywhere I go.

* I must not get locked out of my accounts if I lose a device.

* I must be able to log on to random other systems (other people's computers, temporary VMs, whatever), though in these situations, having to rely on a phone is acceptable.

* Whatever solution I pick must not include switching password managers or depending on some closed source service.

jdenning
These requirements are pretty tough to meet. The above answer about using KeePassXC on desktop, and syncing the db to your phone is probably the best solution, as it meets every requirement except not switching password managers.

If you like Bitwarden, it will do what you want if you pay for their premium account. If you don't want to do that, you can host your own bitwarden server (I think that this implementation does 2FA, but I'm not positive:

https://github.com/dani-garcia/vaultwarden