[Spooky23]

I wish TOTP supported a PIN. That omission makes it pretty useless for high security applications.

[gnabgib]

You want your secret to have a secret? Several apps that provide time based one time password storage/management can also be secured with bio-metrics, pins or passwords (Aegis, MS Authenticator). Are you specifically thinking physical tokens only?

[Spooky23]

If you need to conform with higher NIST assurance levels, a one time password generator needs to have a secret as well.

Commercial solutions support this with challenge/response tokens or PINs. I’d love to see an OSS solution.

[gnabgib]

Perhaps you could link to these NIST standards?

[duskwuff]

What do you mean by that? The TOTP standard doesn't specify how (if at all) the client is secured. Besides, the one-time code is used in addition to a password, not as a substitute for one.