Yup. It's arguable whether TOTP secrets stored in Google Authenticator are a true "something you have" factor, but this came at a tradeoff because not everybody wants to pay for a RSA token generator and carry that around. Assuming the Android system is secure (big assumption, bear with me here), this is closer to a "something you have" factor because its difficult, if not impossible for users to retrieve the secrets from the GA app.
TOTP as a "something you have" approach to 2FA is entirely dependent on how well the device secures the secrets.
An RSA key's private key is (nearly?) impossible to retrieve. The Google Authenticator's TOTP keys are a bit easier. A file on a laptop is even easier.
I believe iPhones now come with on-board TPM's? So in theory you could actually generate the private key on the TPM, and then your phone becomes the "thing you have" to a higher degree of security than authenticator apps.
Not sure about any apps that take advantage of that yet, but the hardware seems to be there.
TPMs have been in phones for years actually, both iPhones and Android phones. The iPhone chips have become a lot better the last year or two though. Some apps, like government or banking apps, actually have been using ARM TrustZone (and probably Apple's T2 chip) for secret storage already.
If you use krypt.co, you can store ssh and GPG keys on your phone's TPM, as well as a secret key for use with a browser addon to facilitate WebAuthn. So, you can already use your phone as the "thing you have".
Well, Android devices do have "Trustzone"s, where keys are bound to the hardware, and user's identification (pin/password)
Sadly, Google Authenticator doesn't seem to be using that.
AndOTP does have Android KeyStore backend, which is using Trustzone.
I think 2FA objective is to protect mainly from password leaks. If an attacker has access to the files on your laptop aren't they able to intercept 2FA codes too even if they are generated on another device? Such attacks are not purely theoretical we could observe them in real world.
Apart from that I believe that TOTP keys should be encrypted and that is actually my main issue with the described tool - it stores the keys in plain, in a config file.
2FA is to mitigate risk after the password is compromised, not to prevent password compromise in the first place.
That doesn't change the necessity of protecting TOTP keys, session keys, bearer tokens, etc., it's just that your second factor is supposed to be a parallel factor, not an extra lock around your password.
For my threat model (and I suspect for most people's), access to copy files on my laptop implies access to install active malware on my browser sessions, i.e., it's already game over. If you don't have that access, then a file on my laptop is in fact something I have.
(I have a few things I intend to be survivable across a total laptop compromise, but they're special-case things like credentials that can upload code that will be run by a few thousand people. They're not protected by regular website 2FA. For regular websites, a browser compromise would almost always let you wait until I'm logged in, then disable 2FA and change both the email address and password on the account, at which point it's irrecoverable.)
Indeed. Doing this with the OS TPM or secure enclave might have been worthwhile, but without that it's basically a fancy way of writing a password on a post it.
Depending on how the original OTP key is stored on your phone, it's not much better than having it on your laptop. The key is still just stored there, somewhere, inside our phone. On the laptop at least you know where and how it's stored.
This might seem intuitive but it's wrong unless your phone is really old and unpatched. Modern phones sandbox everything, often encrypted per-application (standard on iOS for many years, becoming common on Android), and they have storage classes which will not be included in backups or easily copied to a computer.
You could start to approach that on a laptop — make sure you have FDE enabled, use the operating system's sandboxing features pervasively, store secrets using the TPM, etc. but that's a huge amount of work and the attack surface for apps on your laptop is enormous, especially for developers: how many people using a system like the one described are one unlucky npm install away from sending their TOTP seed to an attacker? The equivalent attack requires a system compromise on a phone (which tend to have 7+ figure USD bounties on iOS).
The rate of CVEs an android, combined with the sheer number of manufacturers who are slow about updates or just never deliver any, means that unpatched devices are nothing like the rarity that this statement suggests.
We do know how and where it is stored, a database file in /data/data/com.google.android.apps.authenticator2/databases/databases. I regularly copy it and back up in case my phone needs resetting.
This is just assuming that your phone is more secure than your laptop. Which is possibly the case but files on a phone are still copyable the same way files on a laptop are.
