[londons_explore]

TOTP is far too easily phishable. User studies have shown that in any large organisation, some small percentage of even the most technical staff will enter an OTP into a phishing page. You might think 'I'm not that dumb', but study after study shows you are!

The future is hardware U2F tokens. They can securely check the web-origin of a request and only give the token to the correct origin.

[manquer]

Depends on your threat model, not everyone is going to pay for a hardware U2F . Not every application needs that high security. TOTP is an option definitely better than just plain password, which is what most services use today