TOTP is a cute trick (we used to do mOTP which is very similar, on phones, back when "smart" phones weren't a thing yet) - But, it isn't actually really good security. It's easily phished and it relies on a secret which means either party might leak that secret.
FIDO in contrast has better security and retains control, with the main loss being simplicity, I understand how it works pretty well, but most people aren't going to really put the time in or have the inclination.
FIDO is designed to be used for things like WebAuthn, which can't be phished, and doesn't use secrets so the Relying Party doesn't know anything which can be compromised.
You can build one yourself, buy Solo Keys, or indeed buy a Yubico product.
I actually prefer TOTP, at least personally, as a perfect compromise. The problems with FIDO, besides the obvious lack of adoption, are the expense of key devices, difficulty of backups, and lack of support on many devices that don't have NFC (even those that do are frequently spotty)
The 'leaking' of the secret is, to me, a feature. That means I can safely store it as a backup (printed in a safe, even) and restore it to any device I want in seconds. I don't care about a leak by the service, because that is game over for my data there anyway: if they can't protect 2F secrets, nothing is safe.
Really, mutual TLS would be perfect, but nobody is going to support that. I seem to remember even Windows tried something like that a decade ago and even their weight couldn't break us away from passwords for Internet sites.
Both Android[1] and iOS[2] have both recently gained support for acting as WebAuthn authenticators, supporting authenticating on other devices (Chrome/Safari on desktop gives you a QR code to scan, then the devices communicate via Bluetooth to use the phone as a WebAuthn authenticator). The keys also sync via your Apple ID/Google account. Should go someway towards making WebAuthn a viable replacement to TOTP for people who need to sign in across multiple devices and don't want to buy a hardware authenticator, though more widespread support is necessary I think.
Sure, don't then. But other people are insistent that they can't tolerate the inconvenience of needing to own more than one authenticator, and yet they also can't tolerate the risk of losing an authenticator, so this is how they can square that circle.
My point was more that WebAuthn is starting to become a more viable option for the average person, with phone based authenticators that can be used to authenticate on multiple devices and keeps your keys backed up. I wouldn't use Google sync for WebAuthn myself either.
If you can't properly backup your FIDO credentials the practical security for vast majority of individuals is much, much worse than TOTP. It is extremely inconvenient and the risk of locking yourself out is truly massive.
Does Solo Keys enable that?
Generate whatever you need on your PC and then load it into as many keys you feel like.
Thats the point of passkeys. They can be backed up and sync'ed between devices.
But even if you don't want to use the popular passkey implementations, you can still easily register multiple authenticators which mitigates the risk of losing one. On a new site, I'll register my hardware FIDO key, my phone as a passkey, and my laptop authenticator (either touch-id on MacOS or tpm-fido on linux machines).
Soon there will be other passkey implementations that will also support syncing and backups (1password for example is working on this).
Don't settle for a phishable authentication method.
I bought two keys, keep one at home and one on my keyring. If my house burns down AND I lose my keys, there's account recovery codes that they have you note down - those I keep offline in geographically separate areas.
Some people insist on having attestation, and presumably if we said "No" they would build their own authentication standard with blackjack and hookers (and attestation).
I don't see it myself, but they really want it, and in niche environments it's not crazy. If you issue all 5000 employees with Fictional Corp. very secure fingerprint authenticators, checking for the Fictional Corp. attestation means you can be sure nobody used their factory default Solo Hacker Key FIDO device and then pasted the resulting values into a GitHub Gist. Would anybody really do that? Well, maybe, after all there were various SecurID tokens facing public webcams so that their owners could use the OTP from the token without risk of losing it...
However, on the public web no relying party (~ web site) should use this, especially one which offers some other unattested alternatives; and you as user shouldn't allow attestation if attempted -- at least Firefox and I believe Chrome let you say "No" and you should.
I built one myself. I've yet to find a site that doesn't support it. I'm sure there are some out there, but in practice attestation isn't a big problem.
Except the industry is moving away from attestation. The popular passkey implementations don't support it. You won't see attestation use outside of enterprise specific settings.
FIDO in contrast has better security and retains control, with the main loss being simplicity, I understand how it works pretty well, but most people aren't going to really put the time in or have the inclination.
FIDO is designed to be used for things like WebAuthn, which can't be phished, and doesn't use secrets so the Relying Party doesn't know anything which can be compromised.
You can build one yourself, buy Solo Keys, or indeed buy a Yubico product.