[anonymars]

I assume it's a phishing scenario, given the note about password managers. Evil site spoofs the login page, and when you attempt to log in to the malicious site, it triggers an attempt from the real site, which will duly pass you a code, which you unwittingly put into the malicious site

[LoganDark]

TOTP is vulnerable to the same attack, though. If you are fooled into providing the code, it doesn't matter whether it's a fresh one to your email or a fresh one from your authenticator.

[eddythompson80]

They are, which is one major issue with TOTP and most current MFA methods. There is an implicit assumption that you only get the full benefit if your usi g a password manager.

1. A password manager shouldn't be vulnerable to putting your password in a phishing site.

2. If your password is leaked, an attacker can't use it without the TOTP.

Someone who doesn't use a password manager won't get the benefits of #1, so they can be phished even with a TOTP. But they will get the benefits of #2 (a leaked password isn't enough)

Passkeys assume/require the use of a password manager (called a "passkey provider")

[LoganDark]

Passkeys do largely solve this issue. I love to use them whenever I can.

[anonymars]

Sure, but you would have needed to input a password first, which autofill wouldn't have put into a spoofed site