[spectralblu]

Yup. It's arguable whether TOTP secrets stored in Google Authenticator are a true "something you have" factor, but this came at a tradeoff because not everybody wants to pay for a RSA token generator and carry that around. Assuming the Android system is secure (big assumption, bear with me here), this is closer to a "something you have" factor because its difficult, if not impossible for users to retrieve the secrets from the GA app.

[kemitche]

To expand on what you're saying:

TOTP as a "something you have" approach to 2FA is entirely dependent on how well the device secures the secrets.

An RSA key's private key is (nearly?) impossible to retrieve. The Google Authenticator's TOTP keys are a bit easier. A file on a laptop is even easier.

[munchbunny]

I believe iPhones now come with on-board TPM's? So in theory you could actually generate the private key on the TPM, and then your phone becomes the "thing you have" to a higher degree of security than authenticator apps.

Not sure about any apps that take advantage of that yet, but the hardware seems to be there.

[jeroenhd]

TPMs have been in phones for years actually, both iPhones and Android phones. The iPhone chips have become a lot better the last year or two though. Some apps, like government or banking apps, actually have been using ARM TrustZone (and probably Apple's T2 chip) for secret storage already.

If you use krypt.co, you can store ssh and GPG keys on your phone's TPM, as well as a secret key for use with a browser addon to facilitate WebAuthn. So, you can already use your phone as the "thing you have".

[pvg]

Not sure about any apps that take advantage of that yet

All iOS apps essentially do, if they store things in the keychain or even the filesystem.

[phh]

Well, Android devices do have "Trustzone"s, where keys are bound to the hardware, and user's identification (pin/password) Sadly, Google Authenticator doesn't seem to be using that. AndOTP does have Android KeyStore backend, which is using Trustzone.

[noja]

TOTP is a second factor so long as you store the information to generate it on a second device.

[jacekm]

I think 2FA objective is to protect mainly from password leaks. If an attacker has access to the files on your laptop aren't they able to intercept 2FA codes too even if they are generated on another device? Such attacks are not purely theoretical we could observe them in real world.

Apart from that I believe that TOTP keys should be encrypted and that is actually my main issue with the described tool - it stores the keys in plain, in a config file.

[munchbunny]

2FA is to mitigate risk after the password is compromised, not to prevent password compromise in the first place.

That doesn't change the necessity of protecting TOTP keys, session keys, bearer tokens, etc., it's just that your second factor is supposed to be a parallel factor, not an extra lock around your password.