This is actually the first I've heard of this, re considering TOTP to be not worthwhile. Can you recommend some links to material for me to read to get up to speed with the argument?
This is actually the first I've heard of this, re considering TOTP to be not worthwhile. Can you recommend some links to material for me to read to get up to speed with the argument?
Basically everything ever written about U2F, WebAuthn, and phishing-proof authentication generally is about the weaknesses of TOTP. The principle component of the problem is phishing.
There are sites requiring TOTP to mitigate careless users using dumb passwords, because the sites can't guarantee passwords aren't reused but they can enforce TOTP.
Even for phishing, doesn't it count for something that TOTP prevents asynchronous phishing (collect credentials on a fake site, try them in batches later)?
No, it does not. Everybody agrees that password + TOTP is better than just plain passwords. Everything is better than just plain passwords. But I've personally worked on large, high-stakes projects where TOTP phishing was a continuous problem, and it's really difficult to solve. Since we have options besides TOTP that aren't susceptible to phishing, people shouldn't be pushing TOTP anymore.
What is your current to use at this moment preferred option for a general (not especially sensitive domain like banking) consumer site?
TOTP is not phishing resistant, passkeys are. Also can screen grab TOTP.