[thaumasiotes]

> You cannot memorize TOTP password, nor you can store in your password manager. You also cannot pass that knowledge to another person.

But none of these things are true. For example, my most recent job involved sharing a 2FA-protected online account. We all had the code.

[theamk]

Sorry, "none of these things are true" in your environment. They are certainly true for other people, in fact, I bet they are true for majority of them.

I think analogy to physical house keys is very helpful. What did your work do?

Did you show the enrollment QR code, and multiple people scanned it --> this is like duplicating house key.

Did you put the key into password manager -> this is like that combination lockbox that releases house key if you enter the right combination.

People do all sorts of unusual things, this does not change the properties of intended usage.

[thaumasiotes]

> They are certainly true for other people, in fact, I bet they are true for majority of them.

Well, no. Everyone who uses TOTP, without exception, has their secret stored in a password manager. That's what the TOTP app or device is.

[theamk]

There is a big difference between TOTP app/device and a password manager.

The password manager returns passwords directly. They can be viewed, memorized, passed to another person, copied to another device, or checked into git.

With TOTP, there is a private key inside, but it is not accessible to user. You cannot view it, or memorize it, nor can you pass it to another person or check it into git. It is purely implementation detail which is not exposed in any way.

Disclaimer: this is the case with classical TOTP devices, like RSA SecurID hardware token, or un-rooted Android phone running Google Authenticator. I have those, and everyone I know have them as well.

There are exceptions, like people using LastPass 2FA or people who store TOTP secret on their PC. This is not intended usage, and it does not matter for most users.