[nixgeek]

Feels a bit like MPLS being Layer 2 and Layer 3.

I think it protects you against someone who's capable of sniffing your password on the wire somehow, since every login will require a unique code, and the secret is not transmitted, but you lose the benefit of "knowledge" (password) and "possession" (device, generating TOTP) being separate?

Whether you care about this depends on your threat model. If you're solving for "What if my Secrets vault is stolen by a bad actor and they're able to decrypt it?" then clearly physical possession being separate would be important.