TOTP for 2FA is incredibly easy to implement. So w...

[minus7]

>TOTP is almost purpose made to be phished.

Well, that's a tad hyperbolic. While TOTP codes have no protection against phishing, an attacker still requires interaction from the account owner every time they want to make use of it and can't use the compromised account without the owner being able to notice it. Granted, someone getting phished might not notice. Still better than nothing (but not better than a password manager checking which site it's filling the login into)

[lrvick]

This is not always true either. If you have limited control over the timestamp fed to a TOTP app you can capture codes that will be valid at any time of your choosing in the future. TOTP codes are just a magic hash of a secret and a timestamp.

Also the TOTP seeds are not stored in secure enclaves on phones but rather in plain text. Secure enclaves on phones do not have native TOTP support. Any application sandbox vulnerability on the TOTP seed containing device can give an attacker the ability to generate unlimited codes. Google Authenticator stores the secrets in an SQLite file.

It gets even worse when you consider TOTP secrets must /also/ be stored in plain text server side, normally sitting in a SQL database to be silently dumped through a pile of backend vulnerabilities most companies do not patch allowing bulk 2FA bypass.

TOTP is a fundamentally broken design that is negligent for any organization to support at this point alongside SMS. Everyone has one or more WebAuthn capable devices now regardless of if they realize it or not.

Today the right call for 2FA is to implement WebAuthn with the verification happening in a Confidential VM, HSM, Nitro Enclave or similar. Support only this.