If I install a TOTP generator on a machine and setup 2FA on a 3rd party service, and I then later login with a password and a 6 digit TOTP code, that is definitely 2FA.
You can argue my TOTP shared secret may or may not be secure enough from malware. But it’s definitely 2FA and it successfully protects against the attack vectors that adding a “something you have” factor is designed to protect against. Better than SMS codes, for sure.
Could the TOTP shared secret be stolen if it’s kept in a file on my desktop? Of course! But that fundamentally changes the attack vector from the typical password spraying attack because now an attacker needs to directly target me and compromise my machine.
If the TOTP shared secret is in the iPhone secure element and protected by the iOS sandbox, no consumer application could reasonably ask for anything better than that. That’s $1B of security R&D on your side.
Another way to think about it is that on-device TOTP is “something you have” just like a saved password is something you have.
2FA protects against "password spraying" but that is not really the scariest threat model.
The scariest threat model is phishing, and the disadvantage of a TOTP app on your phone is that you type in the one-time code by hand. Anything you type in by hand can be phished.
The advantage of a token for 2FA is that you don't type it in. It takes human judgment out of the equation. Using NFC to supply the one-time code on an iPhone preserves that advantage.
Now, you might not think a phishing threat model is relevant to you, and that's fine. My point is simply that there is a difference between a 2FA code you type in, and a 2FA code that is supplied directly from hardware.
I'm not sure which of these is more scariest. It also depends on the user, or their past choices. E.g. I reused passwords before I had a password manager else I couldn't remember all of them.
> the disadvantage of a TOTP app on your phone is that you type in the one-time code by hand
The main disadvantage is the cost of time.
Another disadvantage is that the code can be read by anyone around you. With something physical you got more control over where you keep it, though that also has its disadvantages.
> The scariest threat model is phishing, and the disadvantage of a TOTP app on your phone is that you type in the one-time code by hand. Anything you type in by hand can be phished.
I can be fooled into reading a 6-digit PIN to Evil Mallory, a MITM attack.
I can be fooled into tapping my NFC auth token on Mallory's Evil Website, and the auth handshake would fail. Or not. It depends on the protocol, I suppose.
I would posit that set of people able to be phished and the set of people willing & able to use a Yubikey are disjoint, or nearly indistinguishably so.
Regardless of what screen you are authenticating on, a key stored on the iPhone secure element can always be considered to be a factor in the authentication process.
If are logging into a site on your mobile device, and part of the authentication verifies your password and another part verifies that you are in fact on your mobile (e.g. verifying a signature of a private key stored on the device) I would still call that multi-factor authentication.
Optionally, there may be a user prompt on the device before allowing the signature.
Optionally, the user prompt could also require a local biometric authentication (3rd factor).
Or there could be no prompt at all — just a automatic handshake proving it is the same device being used that was originally enrolled.
In any case you are constraining the authentication process to only work with access to a specific private key, hence a second factor.
