When you use Bitwarden as a password manager, enable 2FA.
Pro tip: When you setup 2FA with at least two methods/devices, disable the email 2FA that is enabled by default after setting up 2FA.
If you look for a TOTP app, check AndOTP on f-droid as it allows you encrypted backups of the material.
Otherwise, buy a Yubikey and use the U2F-method. which is the most secure option.
Two additional tips:
1. Prefer FIDO U2F over OATH-TOTP since TOTP relies on shared secrets while U2F relies on asymmetric keys. The newest standard WebAuthn is also supported by the latest YubiKey series.
2. You can also use YubiKeys/Nitrokeys for generating OATH-TOTP. This is more secure than storing TOTP secrets on your phone. Some tokens come with NFC for mobile use.
The biggest advantage of U2F/WebAuth in my opinion is that browsers automatically mix-in origin (domain name) into the challenge. So it’s completely impossible to phish https://accounts.google.com credentials from https://evil.com
The second advantage is that it’s dead simple — it’s just a token with one button in the simplest case, no scanning codes, no re-typing digits, no timing issues.
The disadvantage is of course it’s not possible (by design) to backup tokens. FIDO recommends enrolling more tokens to one’s account but some services (AWS IIRC) don’t support multiple tokens (that’s a *very* bad idea).