If an individual account password leaks, the second factor still protects the account.
This primarily only protects against leaked passwords from the site being hacked. Not from vaultwarden being hacked. But if my vaultwarden gets hacked I’m done anyway. They will had to have used multiple factors to get into the vaultwarden anyway.
Quick edit:
I’ve also got all the codes in an actual Authenticator app on my phone (so I can get into vaultwarden if I have to) But they are additionally in vaultwarden for convenience. When vaultwarden autofills, it copies the code to my clipboard and I can seamlessly pass the second factor check. Either way, access to the codes needs physical access to a device I’m already on. In practice I’m only ever logged into vaultwarden on my phone and my PC, although I could login remotely if I had to. As an additional safety measure, when my vault is logged into some monitoring software sends me a push notification through an external service.
This primarily only protects against leaked passwords from the site being hacked. Not from vaultwarden being hacked. But if my vaultwarden gets hacked I’m done anyway. They will had to have used multiple factors to get into the vaultwarden anyway.
Quick edit: I’ve also got all the codes in an actual Authenticator app on my phone (so I can get into vaultwarden if I have to) But they are additionally in vaultwarden for convenience. When vaultwarden autofills, it copies the code to my clipboard and I can seamlessly pass the second factor check. Either way, access to the codes needs physical access to a device I’m already on. In practice I’m only ever logged into vaultwarden on my phone and my PC, although I could login remotely if I had to. As an additional safety measure, when my vault is logged into some monitoring software sends me a push notification through an external service.