I think I should answer some of the issues above:
-
As for the cross-platform TOTP:
On desktop: KeepassXC, Authy. How to use KeepassXC as TOTP
On mobile: Authy, available for both iOS and Android.
If you are on Android, Aegis is also good since it can backup your TOTP somewhere else. -
I am not a fan of putting both TOTPs and my passwords in Bitwarden. It will defeat the purpose of creating the TOTP itself. I use Authy most of the time, back up the TOTP online, and link everything with my phone number. How Authy 2FA Backups Work - Authy
-
You should store the TOTP secret keys separately from your passwords. Should someone be able to access your secret key or TOTP QR code, he can generate the same TOTP as yours.
More info here on stackexchange. -
Keep in mind that 2FA or TOTP is not bulletproof. Should your device is infected by malware, it can steal your TOTP.
Read the news here: Android malware can steal Google Authenticator 2FA codes | ZDNet
There already a case where a BW user was infected like this, his account was hacked and you can read that on Bitwarden subReddit here.
The safer model would be to use different devices for TOTP and your password. For example, using the Bitwarden app on Windows and then Aegis on phone. Should your Windows computer is infected by malware, the malware cannot steal your TOTP on Android. And then vice versa.