Keepass, use different db stores for passwords than for the MFA/TOTP. never store the keepass db passwords anywhere except your head. Use a different device for the totp db than the passwords.