[lamontcg]

Generally the threat model that TOTP protects against is not someone breaking into your device. The threat model that it protects against is someone compromising your other credentials. So, although not recommended, you could post your login credentials on twitter and still nobody would be able to get into your account. An attacker hacking into your laptop/desktop/phone with access to install keyloggers and hijack connections is not really what it protects against.

[fauigerzigerk]

>Generally the threat model that TOTP protects against is not someone breaking into your device.

And yet, in some realistic scenarios TOTP does protect me against that, if the second factor is on a different device, kind of like a poor man's yubikey.

[lamontcg]

Not if I'm on your device and hijacking your already-authenticated connection. I just need to be careful enough to do it in the background in such a way that you don't notice.

[fauigerzigerk]

If my device got stolen I would remove the device from my accounts immediately. And without the second factor you wouldn't be able to do anything about it.

[lamontcg]

The threat is that your device is infiltrated right now.

[patrakov]

In a corporate setup, it also somewhat protects against intentional policy-violating password sharing between employees.