[metafunctor]

Kind of, but TOTP differs from passwords in important ways. Unlike user-selected passwords, the TOTP secret is guaranteed to be unique and strong as it's generated by the server. Observing some TOTP codes doesn't reveal the secret, so even if the password leaks the TOTP secret probably remains safe. Finally, the TOTP secret is typically managed in a device separate from the one where the TOTP code is entered, making it harder to steal.

[earthboundkid]

I think you can get most of the advantages by just assigning users their passwords. Users either have a password manager to store the assigned password in, or they’re totally insecure and can’t be trusted to make up a password. Either way, just assign something random to them.

[GoblinSlayer]

It's not all that difficult to remember a strong password, and if you use it with pwdhash, it's unbreakable.

[SAI_Peregrinus]

But you need multiple strong passwords for (almost) every site. You need at least one to start, and when one of those sites inevitably leaks all of its passwords you'll have to change that one. Also 50% or more of the sites will have incompatible password content rules, so you'll have to work around that.

Password managers are a lot easier than trying to keep the state for a deterministic system. They're just as unbreakable with a good master password, and actually work with real-world site's rules around passwords.

[GoblinSlayer]

See how it works: https://pwdhash.github.io/website/ - the master password is hashed with the site name, you supply the resulting hash as the password, you can't reverse this hash if the master password is strong. The result has uppercase letters and lowercase letters and digits, which is good enough for most sites. In practice I saw one site restricting password length to 16 chars, but in case of a hash 16 chars are decent: they contain 95 bits of entropy. And saw one site requiring fourth complexity - punctuation characters - this is easy to circumvent by adding a minus at the end, you can store this information in the open, since circumvention of password policy doesn't affect password strength.

[SAI_Peregrinus]

I know how it works. It doesn't help the issues I listed. You can't change passwords when required without storing a database of site names & increments (or similar) to allow you to get the right password. So it's not stateless, and you may as well get all the other benefits of a properly encrypted storage database (autofill, metadata, storing extra things like TOTP keys, SSH keys, etc).

[GoblinSlayer]

Remember reddit app? Typically TOTP secret is used on the same device, where TOTP code and password are entered (phoneposting).