- it's FOSS, and audited, so it's software I can trust
- great UX on Firefox, chrome, and even Edge. I had my issues, but the project improved them away very quickly.
- sharing support for families or organizations.
- convenient standalone clients for win/Mac/Linux... And even the CLI.
- built in 2FA code generation for each entry, so I don't need a separate app for that.
- the best autofill I've experienced, on desktop browser and even on mobile(!)
- open API so there are third party clients available
- the lead developer is super responsive on GH, so I've been able to contribute.
- cheaper than the alternatives (at least at the time), and I feel good about where my money is going.
I can't recommend it strongly enough. It's one of the OSS applications that has a permanent place on all my devices, right up there with Firefox quantum in my "great examples of OSS" liste.
"Catching" one 2FA code doesn't let you compromise someone's account.
Losing (or having compromised) the hardware running your password manager while that password manager is unlocked is a totally different thing from logging into a web site once from a library computer.
however, not having the TOTP key in your password manager would also protect against malware on your machine running the password manager from gaining access to your account.
It's less secure than a dedicated device for storage of the 2FA secrets and code generation, sure, but I don't see how it's any less secure than using a service like Duo to manage and sync your secrets.
Furthermore, I'd argue it's substantially more secure than the recovery process for almost all of the services I use, most of which offer an option to reset by SMS.
Finally, keeping your 2FA secrets in your password manager is very likely not to change the attack surface for most people anyhow, as most people keep their recovery codes in their password managers as well.