Not if your TOTP codes are generated by another device, then the attacker needs your password, plus the device holding the key for TOTP. If you use it on your phone and authenticator is your phone then a theif has everything when they steal your phone.
Hardware key for TOTP is a better 2FA method as its totally separate from your PC or phone
As long as the default recommendation is to use authenticator apps on your main device I’ll see this as a “could be good if implemented correctly, which it isn’t, so it isn’t good”
I mean yes everything is hackable.
Thankfully the hardware key supports FIDO where there is a public / private pair with private locked on the hardware. Not enough services support this though.
So threat is being targeted and having somebody steal the hardware key.
This. This so much. Password+Totp based login is just two passwords where one is more annoying to use.
Not if your TOTP codes are generated by another device, then the attacker needs your password, plus the device holding the key for TOTP. If you use it on your phone and authenticator is your phone then a theif has everything when they steal your phone.
Hardware key for TOTP is a better 2FA method as its totally separate from your PC or phone
As long as the default recommendation is to use authenticator apps on your main device I’ll see this as a “could be good if implemented correctly, which it isn’t, so it isn’t good”
If you can get at a password by hacking a website, I wouldn’t be holding out hope that they couldn’t then steal the TOTP secret.
I mean yes everything is hackable. Thankfully the hardware key supports FIDO where there is a public / private pair with private locked on the hardware. Not enough services support this though.
So threat is being targeted and having somebody steal the hardware key.