[mdb31]

The TOTP "private key" can be easily cloned. Targeted malware, a database compromise at your app provider that you "securely" sync your settings to, or just a few minutes access to your "authentication" device, will do the trick.

[chipotle_coyote]

> or just a few minutes access to your “authentication” device

Oh, come on. Your “hardware” “authentication” “key” can be stolen in mere seconds by someone with physical access. Clearly, we should dispense with that fake bullshit 2FA and require face-to-face verification. Drive to the GitHub office and let them run a DNA test to confirm your identity, or GTFO, amirite?

[gkbrk]

There is no sync to provider servers on any TOTP implementation I use. Nor does a TOTP implementation need to be an application on a phone. Are you perhaps referring to the Google Authenticator or the Microsoft Authenticator apps when you refer to TOTP?

Manufacturers that sell the "meaningful" 2FA hardware tokens can manufacture and sell duplicate keys, they even provide this as a service when you want backup keys. What makes you think they don't "securely" make a few duplicates themselves?

[mdb31]

> There is no sync to provider servers on any TOTP implementation I use

That's hard to dispute, but will you accept https://guide.duo.com/duo-restore as a counterexample?

> Are you perhaps referring to the Google Authenticator or the Microsoft Authenticator apps when you refer to TOTP

No, I'm referring to the actual RFC 6283 TOTP protocol. Which uses a trivially-cloned single private key. Which is, see the example above, in fact trivially cloned 'for convenience' by at least one widely-used 'enterprise' security solution.

> What makes you think they don't "securely" make a few duplicates themselves?

Since that literally makes no sense if you know how hardware tokens work.