[kemitche]

To expand on what you're saying:

TOTP as a "something you have" approach to 2FA is entirely dependent on how well the device secures the secrets.

An RSA key's private key is (nearly?) impossible to retrieve. The Google Authenticator's TOTP keys are a bit easier. A file on a laptop is even easier.

[munchbunny]

I believe iPhones now come with on-board TPM's? So in theory you could actually generate the private key on the TPM, and then your phone becomes the "thing you have" to a higher degree of security than authenticator apps.

Not sure about any apps that take advantage of that yet, but the hardware seems to be there.

[jeroenhd]

TPMs have been in phones for years actually, both iPhones and Android phones. The iPhone chips have become a lot better the last year or two though. Some apps, like government or banking apps, actually have been using ARM TrustZone (and probably Apple's T2 chip) for secret storage already.

If you use krypt.co, you can store ssh and GPG keys on your phone's TPM, as well as a secret key for use with a browser addon to facilitate WebAuthn. So, you can already use your phone as the "thing you have".

[pvg]

Not sure about any apps that take advantage of that yet

All iOS apps essentially do, if they store things in the keychain or even the filesystem.