[microtonal]

However, I have seen many implementations allow for time shifting - ie the code that was generated in the past 30 seconds, this 30 seconds and the next 30 seconds are all valid.

Hence one minute. This is also why I referred to the RFC.

The only way that would work is if you were actively watching the captured credentials and attempted to login right away. That to me would be a targeted attack rather than some random phish.

Why? It's no problem to make a phishing site that requests the password and the TOTP code and uses these credentials immediately.