Keeping it on physical paper helps in almost all cases.
1 - It separates the backups from the internet, helping prevent security vulnerabilities from stealing your MFA codes. Cloud backups along with cloud passwords means you would get caught up in any major data breach.
2 - It allows you to set up a new device without needing to have the old device. If you lost/broke your phone, then those local QR code exports are gone.
3 - People generally know how to keep physical things safe. You can put them in a bank’s safety deposit box, in a fire safe, or just in a folder in your desk. As long as they’re not also sitting near your passwords, they’re pretty useless to most people, and the likelihood that someone is going to physically try to swipe your account data is extremely low.
I also avoid the cloud for this type of stuff (so no Bitwarden on someone else’s server). All my disks are encrypted at rest, and I keep the TOTPs both in Keepass and in Aegis. Both are backed up on machines/disks I control (via Syncthing and Seedvault mostly)
Keeping it on physical paper helps in almost all cases.
1 - It separates the backups from the internet, helping prevent security vulnerabilities from stealing your MFA codes. Cloud backups along with cloud passwords means you would get caught up in any major data breach.
2 - It allows you to set up a new device without needing to have the old device. If you lost/broke your phone, then those local QR code exports are gone.
3 - People generally know how to keep physical things safe. You can put them in a bank’s safety deposit box, in a fire safe, or just in a folder in your desk. As long as they’re not also sitting near your passwords, they’re pretty useless to most people, and the likelihood that someone is going to physically try to swipe your account data is extremely low.
Great suggestions all around.
I also avoid the cloud for this type of stuff (so no Bitwarden on someone else’s server). All my disks are encrypted at rest, and I keep the TOTPs both in Keepass and in Aegis. Both are backed up on machines/disks I control (via Syncthing and Seedvault mostly)