I'm really sorry for the situation you find yourself in and agree that it sucks. I'm replying because I want to mention that it is possible to use 2FA without any form of vendor lock-in (although I realize this doesn't help you retrospectively fix your existing issue). I'm not trying to be a wise ass, I just want to share some pointers for folks who are interested in avoiding or remedying this problem (which is a bit of a tricky problem).
I've been using pass (https://www.passwordstore.org/) for quite a few years now and it allows to use multiple GPG keys to encrypt secrets in different subfolders. So I have a default GPG key that encrypts all my regular passwords, protected by a master password that is easy enough that I can regularly type it in on my smartphone.
Then I have a second GPG key with a much more complicated password that I use to encrypt my 2FA secrets (strings like "FX5D MJE8 F9F9 XFE0" that can be used to "seed" apps like Google Authenticator). These 2FA secrets I never access on my smartphone, I only access them on my laptop where I have a proper keyboard to type in the absurdly long password required to unlock these.
I wrote a small Python script that takes a 2FA secret and uses it to generate a TOTP URL that is then fed to "qrencode" (a command line program available on Linux and MacOS) which renders a QR code that I can scan into a TOTP app like Google Authenticator (like if I was first signing up for 2FA via the original website or service, the only thing that changes is who generates the QR code and when).
Because I saved the original 2FA "seeds" (my term, not sure what the proper term is here, but it's akin to the seed you feed into a random number generator) I can regenerate the QR code whenever I wish, which means that if my smartphone dies and I lose the 2FA secrets loaded into Google Authenticator, I can take an empty new smartphone, install Google Authenticator, and rescan all of the QR codes that bootstrap my 2FA sequences via my laptop. The other side (the website or service where I enabled 2FA) never needs to know I went through this procedure, in fact fundamentally it cannot know.
I've been using this same scheme to share 2FA codes with a team of system administrators so that we can properly protect e.g. AWS root accounts while still providing multiple individuals access without being tied to a single smartphone or 2FA app.
So long story short, it is possible, although admittedly (my way) it does require some cobbling together of different tools in order to get a workflow that handles this smoothly. But I sleep better at night knowing that all of my important accounts are protected by 2FA yet I can never be locked out of them, even if I lose my smartphone or laptop (the actual password store git repository lives on my server where it is backed up to several disks every couple of hours).
That is not the TLDR I intended. If you store your OTP secrets in the same password store that also stores your regular passwords, you've just completely undermined the second factor of security.
> If you store your OTP secrets in the same password store that also stores your regular passwords, you've just completely undermined the second factor of security.
Which, to be clear, is perfectly fine. 2fa is completely unnecessary: the increased risk of getting locked out from my accounts and the risk of using services from companies like Twilio and Google is greater than the risk of someone guessing long randomly generated passwords.
The TLDR describes your method accurately, though. You do store your OTP secrets in a password store.
That said, the significance of using two separate password stores isn't clear to me. Under what threat model is that supposed to be an improvement over a single password store? Basically, your idea is that passwords are less essential than OTP secrets, so you take less care keeping them safe. However I think it'd make more sense to just apply proper protection for all secrets.
I've been using pass (https://www.passwordstore.org/) for quite a few years now and it allows to use multiple GPG keys to encrypt secrets in different subfolders. So I have a default GPG key that encrypts all my regular passwords, protected by a master password that is easy enough that I can regularly type it in on my smartphone.
Then I have a second GPG key with a much more complicated password that I use to encrypt my 2FA secrets (strings like "FX5D MJE8 F9F9 XFE0" that can be used to "seed" apps like Google Authenticator). These 2FA secrets I never access on my smartphone, I only access them on my laptop where I have a proper keyboard to type in the absurdly long password required to unlock these.
I wrote a small Python script that takes a 2FA secret and uses it to generate a TOTP URL that is then fed to "qrencode" (a command line program available on Linux and MacOS) which renders a QR code that I can scan into a TOTP app like Google Authenticator (like if I was first signing up for 2FA via the original website or service, the only thing that changes is who generates the QR code and when).
Because I saved the original 2FA "seeds" (my term, not sure what the proper term is here, but it's akin to the seed you feed into a random number generator) I can regenerate the QR code whenever I wish, which means that if my smartphone dies and I lose the 2FA secrets loaded into Google Authenticator, I can take an empty new smartphone, install Google Authenticator, and rescan all of the QR codes that bootstrap my 2FA sequences via my laptop. The other side (the website or service where I enabled 2FA) never needs to know I went through this procedure, in fact fundamentally it cannot know.
I've been using this same scheme to share 2FA codes with a team of system administrators so that we can properly protect e.g. AWS root accounts while still providing multiple individuals access without being tied to a single smartphone or 2FA app.
So long story short, it is possible, although admittedly (my way) it does require some cobbling together of different tools in order to get a workflow that handles this smoothly. But I sleep better at night knowing that all of my important accounts are protected by 2FA yet I can never be locked out of them, even if I lose my smartphone or laptop (the actual password store git repository lives on my server where it is backed up to several disks every couple of hours).