[fanf2]

There are a number of challenge-response authentication systems, e.g. in my first job after university we used cryptocards: https://www.linuxjournal.com/article/8252

And my bank used to supply a similar (but smaller) authentication keypad - they now use a smartphone app instead.

The “know” vs “have” question in multifactor auth traditionally assumes the thing you know is memorized (which you can’t expect people to do with TOTP secrets) and the thing you have is a physical device that authenticates itself with an embedded secret. There’s an intermediate category of secrets you have access to (e.g. in a password manager) but which can’t protect themselves against copying by the authorised user like a physical token.

TOTP and HOTP were designed to be implemented in physical tokens (similar to SecureID https://en.wikipedia.org/wiki/RSA_SecurID tho that uses a different algorithm) but they are often supported by password managers or apps that allow the OTP secrets to be copied.