[SpaethCo]

> Yes, it can be phished if you fall for that, but it removes several attack vectors.

How was the first factor (the password) compromised?

Assuming the user is using site-unique passwords, in 99% of cases where an attacker obtains a functional password they can get at least one TOTP code or the seed in the same manner. (ie, if I can steal your password DB, odds are pretty good for me stealing your TOTP seed DB as well.)

The outcome of a single successful authentication is a longer-lived session cookie. Once an attacker has that they can reset your creds (usually just requiring re-entering the password) and the account is theirs.

IMO, the only 2nd factor that matters are those that mutually authenticate like PassKeys / FIDO keys.