[radicality]

My understanding of the post was the the author means that from the point of view of “authenticate this user”, the TOTP _key/seed_ is quite similar to a password, which I would agree with. Especially if you’re storing both in your password manager like the OP.

[kortex]

> the TOTP _key/seed_ is quite similar to a password

It's not though. The whole point is the secret moves once, from server to client (ignoring user exports and whatnot). Pass(word|key)s are basic authentication, and so have to be transmitted with every request. That's a huge difference in surface area. Also they are guaranteed to be high entropy, unlike user-picked passwords with no filter.

[CyberRage]

It is not because:

1. TOTP is time based, after 30 seconds it means absolutely nothing, you cannot recreate the 'secret key' from that number

2. with TOTP everything is well-known. TOTP will usually generate a 6 digit 'secret', this makes managing it very predictable:

6 digits = 1,000,000 options(including all zeros) we can easily calculate a good security margin

like: 5 attempt - 5/1,000,000 = 0.000005% chance of success Very predictable security margin

for passwords it's a huge unknown, it entirely depends on the user password quality

[krupan]

While you are technically correct, you are missing the whole point of the blog post

[CyberRage]

Seems like a rant to me.

Passwords are used because they are convenient and intuitive.

Once you use a 'password manager' you basically have a glorified key generator/storer

We already have so many alternatives from GPG keys to FIDO/FIDO2 solutions

Security isn't always the first priority when running a website/app, it is the sad but honest truth(coming from security expert with over a decade of experience)