>> But auth lock-in > > GOOD. All our corporate sign-in events should be through our single IDP using SSO. Of course we want lock-in.
My workplace uses Duo Mobile for a second factor, which is functionally identical to TOTP, and probably uses TOTP internally (if your android phone is rooted, you can export Duo Mobile keys to your choice of TOTP app). But as long as I'm being a good corporate citizen, I can't use my choice of TOTP app. What actual security (non-theater) interest does that serve?
If a user can use any TOTP app of their choice, what's the mitigation for them installing a malware TOTP app that ships their private keys directly to CCP HQ?
Duo is regularly audited by independent third-party assessors to attest SDCL, data protection in their datacenters, etc.[1] Audits aren't a guarantee but they provide a reasonable amount of assurance that their software products and infrastructure have at least basic data protection measures.
> if your android phone is rooted, you can export Duo Mobile keys
This is the exact reason why personally owned devices, in most organizations, require MDM enrollment and attestation before being granted access to corporate resources.
[1] https://duo.com/solutions/compliance
If you can't use a TOTP app of your choice, what's the point of there being a standard? Pick an audited app using a proprietary scheme, you don't need interoperability, and if you don't need interoperability, you don't need a standard.