I've thought about this a lot, and I feel that it's not really as big a detriment to safety as you might expect. It's not exactly the same as an air gapped token generator, obviously, but:
- It's still something you have, and don't know: the TOTP secret. What you transmit is a short term generated code, but unlike your password, you don't send the secret key at any point.
- The downside of air gapped tokens is that when they break or are lost or stolen, you have to somehow re-enroll with a new device. The security properties of this process are deeply variable between authorities, and there's always the risk of just total loss of access. If you have the TOTP secrets backed up in Bitwarden, you can avoid this.
- Vault software can keep all of these secrets encrypted using keys protected by biometrics on a phone, or an external device like a Yubikey, that are only unwrapped by a particular physical interaction. Usually the vault software does a better job than the average person of determining whether you're looking at a legitimate authentication prompt or a phishing site, and I suspect it's less likely to automatically enter your TOTP code into the wrong than a person is when transcribing it by hand or copy pasting.
- It's still something you have, and don't know: the TOTP secret. What you transmit is a short term generated code, but unlike your password, you don't send the secret key at any point.
- The downside of air gapped tokens is that when they break or are lost or stolen, you have to somehow re-enroll with a new device. The security properties of this process are deeply variable between authorities, and there's always the risk of just total loss of access. If you have the TOTP secrets backed up in Bitwarden, you can avoid this.
- Vault software can keep all of these secrets encrypted using keys protected by biometrics on a phone, or an external device like a Yubikey, that are only unwrapped by a particular physical interaction. Usually the vault software does a better job than the average person of determining whether you're looking at a legitimate authentication prompt or a phishing site, and I suspect it's less likely to automatically enter your TOTP code into the wrong than a person is when transcribing it by hand or copy pasting.