>AFAIK that means it'll take more than a jailbreak to get to them, although I don't know if OTP apps are using that capability or not.
sure, you wouldn't be able to extract the keys, but what's preventing you from generating thousands of codes and extracting those instead? since they're time based, you could easily generate lots of them for a long time into the future (eg. 10 per day for the next 5 years). that should afford you plenty of opportunities to do a login attempt.
This can't be used directly for generating OTP tokens (see the other comments), but what would stop you with a normal key on the secure enclave is that you can require the enclave itself requires a higher level of authentication (facial scan match, fingerprint scan) to perform those key operations.
sure, you wouldn't be able to extract the keys, but what's preventing you from generating thousands of codes and extracting those instead? since they're time based, you could easily generate lots of them for a long time into the future (eg. 10 per day for the next 5 years). that should afford you plenty of opportunities to do a login attempt.