Because of how humans work TOTP can give false confidence to the user which is a further downside.
Grandma goes to fakesite.com not realising it isn't her real site. It asks her for the TOTP code, she provides her TOTP code and it works. She is reassured - if this wasn't her real site why would the code work?
Now, in theory a neutral security assessor can see that's not reassuring, but that's not how humans work, the fact there was a challenge-response feels like security even though for all they know if was accepting any inputs.
Phishing sites generally have a milder version of this effect. I have vanity mail, so I own the "mail provider" handling my email and yet of course I get those phishing mails saying as the "Administrators" of my vanity domain they need me to type in my password. But they don't know my password of course, so filling in their form with crap "works" the same as anything else, fuckyouscammers, sure that's a reasonable password.
These schemes can't work if you don't rely on stupid shared human secrets ("Passwords") everywhere, but we did and it seems many people are really enthusiastic to keep doing that, so I doubt we'll escape from this self-imposed status. I wanted to make a web site that mimics the famous reusable Onion article but I've never gotten around to it. "No way to prevent this"
Hence my "Huh". Everybody working in my team uses TOTP if they don't have their own Yubikey which most do not. Most of them aren't close to as old as I am, but some are indeed grandparents, it's like if you were astonished anybody over age 40 can type.
Python users (pypi.org) just got hit that were using TOTP.
"If the user had enrolled a Security Device for PyPI second factor authentication, the attacker would not have been able to use the second factor, as the WebAuthn protocol requires the user to physically interact with a hardware security key, or use a browser-based implementation, which would not be possible if the user was not on the legitimate PyPI.org website (Relying Party Identifier)."
