It's something else that is unrelated to your password that you have to provide in order to log in, is that not the definition of a factor of authentication ?
Passwords are "something you know". TOTP is "something you know". It wanted to be "something you have", but it's not. Proof: I can put TOTP tokens into my password manager now. Anything that can go into my password manager is proved to be "something I know" by the fact I can put it into my password manager.
Incidentally, passkeys go into my password manager too. You can probably work the math from there.
(I'm heterodox on this matter, though. I don't believe in the existence of "things you are" and "things you have". I think it's all ultimately just "things you know" and it's all better analyzed in terms of the cost of knowing and proving knowledge, and that the 3-factor framework for authentication is wrong.)
Yes. Passkeys help with the bad password problem. That’s a big deal but doesn’t magically solve everything.
To address other security risks more comprehensively, you need to have a tight issuance process and use something key based in hardware. I’m working on a project where we deploy Yubi keys or similar, with an audit trial of which is used by who.
High trust environments need things like enterprise attestation and a solid issuance process to meet the control needs. Back in the day, the NIST standards required a chain of custody log of the token - you could only use in person delivery or registered mail to send them.
That’s overkill, but the point is the technology is only one part of the solution for these problems.
Within the larger spec, you can whitelist a set of known devices, such as only allow Yubikey's, etc. Which would prevent the private key material from getting into your password manager.
You can but the server can require an device attestation during registration, proving that you're actually using an Yubikey or whatever. That isn't possible with TOTP
Incidentally, biometric scans can also go in password managers. Turns out it's all just bits. Who knew?
The best you can do is attestation. Embed a certificate and private key in the TPM that says it's a real genuine FooBarCorp TPM, and sign all responses with that private key. This is terrible for the open ecosystem. It's also the only way to do the thing everyone sells their product on being able to do, so if it's allowed, then it's inevitable.
With TOTP (as well as passkeys) you as a consumer are safe from a vendor being hacked and your credentials being leaked from their side. You're also safe from fishing attacks.
On the other side using passkeys or password+TOTP a vendor is safe from credential stuffing of credentials a malicious actor gained through the above.
Sure you can say that it's both the same factor. But even so it has real security benefits which are much more important than just fitting in authentication factor categories that were thought up more than a decade ago.
There's a big difference for a malicious actor to gain access to millions of devices to steal the TOTP crypotgraphic string of users vs gaining access to a single vendor. TOTP doesn't save you from the first case but it sure as hell saves you from the second being disastrous.
It's something else that is unrelated to your password that you have to provide in order to log in, is that not the definition of a factor of authentication ?
Because it's phishable ?