An attacker compromising your desktop would ordinarily -also- need to compromise a second device like a Yubikey or a phone.

Regularly exposing 2FA secrets in plan text to the system memory of your (potentially compromised) endpoint defeats a lot of the point of 2FA. If an attacker can access the secret they can generate unlimited codes. Even if all they can do is change the system clock they can get codes valid in the future.

I really wish dangerous advice like this would stop getting upvoted.

Also, TOTP is phishable, so never use it if more secure methods like FIDO2 are supported on a service.

FWIW oath-toolkit is available via homebrew on mac: brew install oath-toolkit

Copy the key to your clipboard and then: oathtool -b --totp $(pbpaste) | pbcopy

This keeps keys out of your history and copies the token into the clipboard.

If website supports is just more secure and practical to buy a cheap security USB key

https://solokeys.com/products/solo-usb-a

And keepass[xc] also supports autofill OTP tokens

macOS and iOS have TOTP built-in to the keychain now. I've moved all my tokens from Authy to the built-in keychain and it's a much smoother login experience.

Let me also mention this project which lets you use a standard TOTP token in place of Symantic VIP:

https://pypi.org/project/python-vipaccess/

Smoother but far less secure. Now any malware on your machine gets an unlimited free pass at your TOTP codes and can even change your system clock to get codes valid in the future.

To be fair Authy stores all TOTP secrets in plain text on the phone so it is pretty awful too. Use Yubico authenticator, Ledger, or Trezor for TOTP when you must use TOTP but more importantly use FIDO2 whenever you have the choice.