Self hosted bitwarden typically, but aegis for true device linked OTPs that don't live in the same DB as the password

(Bitwarden makes 2FA somewhat moot, since it's just another "something you know" not "something you have" in addition)