I was referring to TOTP. Some 2FA doesn't protect against this, sure. But the whole point of TOTP is that the codes change over time, so having the current TOTP token is entirely useless. This is literally the threat model of TOTP. The only way of breaking it is to get the shared key (which a keylogger won't do, and you need to attack the TOTP device).

A TOTP code is valid for a minute - an attacker who could exfiltrate it fast enough could reuse it.

Of course, if you could do that you could probably compromise browser cookies anyway.

Most services I use have 30 second TOTP codes, but if you're facing an attacker that can perform an on-demand replay attack in the same time it takes for GMail to load then you have much bigger problems (like hijacking browser sessions). Also, my response was in relation to saying that there was "no security improvement" which is simply not true.

I'm not sure we're discussing the same threat model here. If you're worried about long-term compromise then that race window is a much smaller concern than the fact that having a TOTP code makes it so that an attacker can't just keylog you and get the password at a later time.

Agreeing on threat models is the first step in any discussion about security. Does your threat model include being so badly owned that a keylogger on your machine can exfiltrate data so quickly that someone can replay your login session? Is that a reasonable threat model? Is it helpful to require that to be solved or otherwise not be considered good enough?