[gruez]

>A time-based 2FA (TOTP) is time-sensitive, and a man-in-the-middle or proxy needs to be set up to capture that in real-time

Is that supposed to be remotely difficult? It'll take maybe an hour to whip up a script that takes the captured credentials, passes it onto a headless browser to attempt the login, capture the session cookie, and optionally refresh the page regularly to keep the session active.

[bsza]

Unless the page gives you a captcha before the TOTP, which it definitely should.

[gruez]

None of my bank accounts use a login captcha. Presumably they mitigate bruteforcing using lockouts or similar. Even if they use captchas, captcha solving services exist that solve for less than a cent per solve. It's not a huge barrier.

[dns_snek]

Modern captchas only deter humans, bots will pass right through.