Are there any plans to add a feature for the vault to sync MFA between 2 or more devices without storing the codes on the server.
This is likely a unique feature request, most people likely are happy the way it is.
This is fine, but I’m not comfortable with having all the access in one place.
Your going against the fundamental purpose of MFA, a separate entity/device that adds a high layer of security.
By putting everything on a cloud device, your effectively making it single factor if there ever was a breach to the vault.
What I have currently, is a primary phone with MFA codes, and a backup MFA phone replicated through manual backup and restore.
If something happens to the primary phone the backup phone can be used.
It would likely be difficult to have them sync bidirectional without the vault being the arbiter (keeping data) so it could just sync one way; this is all you need.
Primary device → secondary device, the latter is always accepting all changes and avoiding conflicts (read only).
In this configuration the vault has the codes in transit but never at rest.
Should there be a breach to the vault the attacker has all the logins but no MFA, all while the user having sync devices acting as a backup.
The sync could be triggered every x number of hours or days, or just when the MFA detects a change on the primary device.