[lrvick]

This is not always true either. If you have limited control over the timestamp fed to a TOTP app you can capture codes that will be valid at any time of your choosing in the future. TOTP codes are just a magic hash of a secret and a timestamp.

Also the TOTP seeds are not stored in secure enclaves on phones but rather in plain text. Secure enclaves on phones do not have native TOTP support. Any application sandbox vulnerability on the TOTP seed containing device can give an attacker the ability to generate unlimited codes. Google Authenticator stores the secrets in an SQLite file.

It gets even worse when you consider TOTP secrets must /also/ be stored in plain text server side, normally sitting in a SQL database to be silently dumped through a pile of backend vulnerabilities most companies do not patch allowing bulk 2FA bypass.

TOTP is a fundamentally broken design that is negligent for any organization to support at this point alongside SMS. Everyone has one or more WebAuthn capable devices now regardless of if they realize it or not.

Today the right call for 2FA is to implement WebAuthn with the verification happening in a Confidential VM, HSM, Nitro Enclave or similar. Support only this.