SMS 2FA should be outlawed and it annoys me when the media talk about 2FA as if SMS is the ONLY method when they should be saying that TOTP is the method of choice and make it clear that any system that uses SMS is considerably less good (due to how insecure the mobile phone network actually is).

I never have had problems with too many passwords in KeePass (I now use mostly KeePassXC), I have way more than 800 entries.

For TOTP, I use my own Python script to generate the codes (which are not random btw, but based on the time of the server and a secret code). The “application passwords” that Google uses are less secure than many of my passwords because they become a single factor of a reduced character set (lowercase a through z only) and reduced and fixed length.

I create QR codes using qrencode on a Linux CLI, KeePass 2.x has a nice add-on for QR codes. I think that built-in support for QR codes will be part of KeePassXC 2.4 when it is released; it has been talked about.

Many people also do not understand that TOTP doesn’t require the use of Google Authenticator (I’m glad you are at least using an Open source app and moved away from Authy) and it isn’t the “domain” of Google…. it’s much like Apple not inventing things, but implementing them and carrying on as if they invented them fully themselves.

Also, I have less trust than most with Android or other mobile devices so anything that needs a login but can wait for a “real” computer…. can, well… wait.

All the tracking of Android by Google themselves is bad enough, but apps have all sorts of other tracking and I would rather avoid those apps; I didn’t need them yesterday, why do I need them today?