If you do not need QR codes, oathtool is great. You can protect your tokens, recovery codes etc. with gpg -c or similar, so the encryption is entirely separate from the authentication mechanism.

And you actually know what is going on. Works for GitHub.

https://www.nongnu.org/oath-toolkit/