AFAIK TOTP doesn't provide protection against phishing / MITM attacks if the attacker is able to response within the time window (usually ~2x 30 seconds).
It also has limited benefit against brute force attacks since it's essentially just a few extra numbers added to the password (although that certainly helps).
It does provide a defense against leaked previously passwords, and keyloggers if they aren't immediately used.
I'd love to be corrected if this isn't the case though.
EDIT: Totally forgot - it also protects you if your password manager is breached, assuming you don't store it in the password manager
> AFAIK TOTP doesn't provide protection against phishing / MITM attacks if the attacker is able to response within the time window (usually ~2x 30 seconds).
This assumes a sophisticated attack, which is absolutely possible (I’ve even seen it happen), but is less likely than a form that just captures information. In any case, in the attack you describe, storing the TOTP externally doesn’t provide any additional protection over storing it within the password manager.
> EDIT: Totally forgot - it also protects you if your password manager is breached, assuming you don't store it in the password manager
Yeah that’s the entire point of the article. But managing TOTP separately can be a bit painful. So I’m saying that if you want a bit of additional security without any inconvenience, there are still benefits to storing a TOTP in your password manager opposed to having no MFA at all.
I wanted to make sure the limitations were pointed out that TOTP doesn't itself protect against sophisticated MITM/phishing attacks which a lot of people I've met thought.
But it absolutely provides some level of protection against unsophisticated attacks, and it's still helpful even inside your password manager.
If you use the browser extension, it provides resistance against phishing attacks because the password and TOTP won't auto-populate. It doesn't help against sophisticated MITM attacks at all - for those you need U2F / WebAuthn.
It helps against brute force attacks but how much it helps depends on the service. If your service prompts for a 2FA code when provided with an incorrect password, then it helps a lot. If an attacker receives confirmation that they have a correct password before needing to enter the 2FA code, then it helps less.
TOTP slows down brute-forcing a service through normal access patterns (eg login, password reset). By normal access, I mean as provided by the software/vendor. One would hope said service has rate limiting and other mitigations to prevent bad actors brute forcing this way, of course.
However it is a second defense enforced by process/code alone (which can be turned off if you have access to the source). It doesn't effect the way your password is stored on the server, in the event of a leak or hack TOTP provides no brute force benefit.
It also has limited benefit against brute force attacks since it's essentially just a few extra numbers added to the password (although that certainly helps).
It does provide a defense against leaked previously passwords, and keyloggers if they aren't immediately used.
I'd love to be corrected if this isn't the case though.
EDIT: Totally forgot - it also protects you if your password manager is breached, assuming you don't store it in the password manager