> If you are using a strong random password generated from 1PW you've already mitigated against that threat. TOTP isn't buying you much additional security.
Why isn't TOTP buying much additional security?
It seems to me that apart from password reuse it's mitigating many other potential problems: keyloggers leaking passwords from your device, passwords leaking from the authenticating server, etc.
Not exactly the question you asked but one reason FIDO/Ubikey provides more protection than TOTP is that it won't send codes to the wrong website. If you're being phished skillfully, and don't notice the URL is wrong, you're protected in that way. If you use TOTP you have to verify the URL manually.
One way passwords leak from servers is when they're being inappropriately logged (like at the POST-level), which is not going to happen for TOTP seeds.
True enough. However, unlike a password, you can’t take a hash of it and thus reduce the consequence of exposure. It’s just another shared secret, albeit one that doesn’t rely on the fallibility of human creation.
The only good solution is WebAuthn and related technologies (phone passkeys for disaster recovery), so that server side needs nothing more than a public key.
Why isn't TOTP buying much additional security?
It seems to me that apart from password reuse it's mitigating many other potential problems: keyloggers leaking passwords from your device, passwords leaking from the authenticating server, etc.