IMO it's good practice to not one's vital 2FA codes held hostage on a service where one's accounts or IP address can be flagged for spam or abusive behavior by automated systems. (This also applies to Google Authenticator, for what it's worth!) Especially in a world where customer service teams are being trimmed wherever possible!
I use 1Password - its UI leaves some things to be desired, and it's not cheap, but it has zero incentive to cancel the account of any paying customer!
I switched out of Google Authenticator when they updated the app and all my 2FA just went away.
They did fix it with another update, but that was a seriously un-fun few days. Luckily I was just logged in to my AWS account so I could disable the 2FA.
Passkeys if the site supports them as a secure authenticator for 2FA/MFA (should pop up in your device if you try to setup a secure hardware authenticator on iphones and android) or TOTPs stored securely somewhere that isn't vendor locked.
I use Bitwarden for passwords only. I use Authy for the TOTP, although I should use something else.
I backup my TOTP seeds in KeepassXC. I also have an offline backup of my Bitwarden vault that is in a separate KeePassXC vault. I agree that I don't like the idea of one vault holding both bits of info.
The officially supported method is to login to each 2FA account and delete the old 2FA and generate a new one that you make sure to record separately. Authy really locks you in.
There are some unsupported methods a Google search away. I have had luck with this one in the past but haven't used in over a year, so can't vouch for it still working.
Authy appears to be up, but I guess if it were down, the only issue would be trying to setup a new device and have it sync over the 2FA codes? My understanding is after that initial sync, the TOTP it displays should all work offline.
