I have. But TOTP is a bit tricky: A generated password isn't single use by design (as it's valid for 30 second window). So you'd have to make sure a single password can be only used once on the server side. Additionally the default 6 digit code seems a bit weak. It seems that 6 digits is fixed in Google Authenticator at the moment: https://github.com/google/google-authenticator/wiki/Key-Uri-....
HOTP might also be possible, but then you also have to store state (the counter) on the server side. Additionally that also seems to be limited to 6 digits in Google Authenticator.
My current approach is: Don't exhaust the tokens before you return from vacation :-)
Fair approach. Just a thought. Good point on the 30 second window, would suggest that (without ensuring the server only accepts it once) that someone else could gain access (though it being read-only they'd have limited access).
I'm not familiar with Yubikeys other than that they exist. How're you using them for authentication? Do they not have the potential password reuse issue (seems they include TOTP support among other methods of authentication)?
Also, I'm fairly new to TOTP and was a bit surprised that Google Authenticator didn't allow for longer keys. That seems like it ought to be easy, to this layman, to implement for them.
===EDIT===
Found my answer to the Yubikey question. Read their documentation on how their OTP works. My initial confusion was based on a cursory read through where I saw they supported TOTP, but they have another method that's not time-based. So, yeah, not sure a good solution to the TOTP password reuse problem, but might spend more time looking into using Yubikey for myself.
HOTP might also be possible, but then you also have to store state (the counter) on the server side. Additionally that also seems to be limited to 6 digits in Google Authenticator.
My current approach is: Don't exhaust the tokens before you return from vacation :-)