If a user can use any TOTP app of their choice, what's the mitigation for them installing a malware TOTP app that ships their private keys directly to CCP HQ?
Duo is regularly audited by independent third-party assessors to attest SDCL, data protection in their datacenters, etc.[1] Audits aren't a guarantee but they provide a reasonable amount of assurance that their software products and infrastructure have at least basic data protection measures.
> if your android phone is rooted, you can export Duo Mobile keys
This is the exact reason why personally owned devices, in most organizations, require MDM enrollment and attestation before being granted access to corporate resources.
If you can't use a TOTP app of your choice, what's the point of there being a standard? Pick an audited app using a proprietary scheme, you don't need interoperability, and if you don't need interoperability, you don't need a standard.