[t0astbread]

I'm not an expert in authentication but afaik TOTP (and HOTP) work completely offline. That means you could store your keys on a device that doesn't have internet access. On that device you can do whatever you want. Some TOTP apps allow you to lock your keys with an additional passphrase or a biometric factor.

From my (maybe naive) POV as a user I tend to agree, it would be nice to have a standard for push-based authentication so that I can actually see when someone else has made it past the password prompt. Although email notifications would largely solve that problem (if more websites used them).

[overeater]

I"m not seeing a huge benefit of the personal device being offline, while you're trying to log into an online service. But let's say there was a need for that, what about using bluetooth or wifi direct to push to the device?

[t0astbread]

Like I said, I don't know the standards, so I don't know the authors' intentions. But there are actually specialized devices which do nothing but generate TOTP tokens, so that seems to be a use case. (The keys don't have to be on a phone or in a particular app.)

[unethical_ban]

A push token usually means you're utilizing a service such as Okta, RSA, Symantec VIP, etc. whereas RFC TOTP can just be managed locally and the user can choose a 2FA app of their liking.

[jaywalk]

Why? We've already got better standards, there's no need to add complexity to TOTP.