After enabling 2FA, disabling SMS for 2-step and SMS for password resets, and ensuring that you don't have any phone number set as a way to get into you account, what is your plan for continuing to use your account if your phone is stolen?
It's also possible to install the seed for the TOPT generator on multiple devices - all the ones I've bumped into have a mechanism for typing in a long-ish string as well as scanning a QR code - record that string (secured like a password, in something like 1Password) and you can always re-seed another device to come up with the same codes. I've got all mine on two phones and a iPad - one of the phones is usually in my pocket, the other is almost always at home.
As always, it's a security/convenience tradeoff - I've gone from needing "something I know and something I have" to "something I know and any one of several things I have".
Your tradeoffs there may vary - if I were a political-dissident/whistleblower/drug-czar I'd probably consider the risk of losing access altogether preferable to opening up additional avenues for vulnerabilities - an NSA-level adversary would probably have a significantly easier time if they knew they only needed to stealthily subvert one of several devices (at least one of which I don't usually have on my person) to get access to all my tfa secured assets, but the additional risk if I'm protecting myself from 4chan-grade griefers or non-network-pervasive internet criminals is - for me - low enough to accept for the additional reliability and convenience of multiple authorised tfa token generating devices.
For all the sites that use TOPT, I have a screenshot of the QR code that was presented me, encrypted with GPG (using a symmetric key and a random password) and then I put that encrypted file in my 1Password collection.
I feel reasonably secure about this (as secure as I'm feeling about all the passwords already there in 1password) and I have a huge advantage that changing my phone won't require remembering to disassociate all accounts first if I don't want to lose access to them.
As TOPT works without a back-channel, that QR code stays useable until I manually revoke that key on the respective web site.
In my experience, when setting up a new device, you have to scan the QR or type in a code, then verify a generated key or two to "confirm" the new device. I'm not sure if that's an optional step, but it seems like you'd need to log in first, thus creating a chicken-egg situation for yourself. I'm sure you could enroll another device (e.g. tablet that always stays in the house, SO's phone, whatever), but it doesn't seem like it'd work as you spelled it out.
Backup codes may be a good option if kept somewhere very safe.
The "enter a generated code to confirm" step is to confirm at the server end that you've got an identical seed - they (presumably) use that before committing that seed to your user account (to ensure you aren't about to lock yourself out). It's mot needed at the client end.
I've got at least gmail, aws(/amazon), Github, Dropbox, Zoho, and several TOTP TFA protected WordPress sites on 3 different devices using this method. It definitely works. I see additional devices start to generate the same codes when I add the same seed (so long as their clocks are reasonable synced...)
This is using the Google Authenticatior app on iOS and Android, I _think_ any RFC6238 compliant TOTP app that lets you type in a string to key it should "just work".
I have a similar method. When I setup 2FA on an account, I print out the QR code and scan this with the phone to verify it works. I then store the paper QR code in a safe place.
So you also need to make sure that your phone's browser doesn't have your Google password stored, and/or your phone's storage is encrypted with a strong-enough key.
Everytime I go to https://www.google.com/settings/security and click on 2-step verification, I'm required to enter my password if I haven't done so in the last 5 min or so.
With this scheme someone can't access your account by stealing your phone. You also can't access your account by getting your phone number to point to your new phone though.
I didn't downvote. My reply was to "other trusted devices can bypass 2factor" about yes they can access the account but they can't change the password without knowing the current password.
(Accidentally deleted a comment of mine, this attempts to copy it)
