Generally the threat model that TOTP protects against is not someone breaking into your device. The threat model that it protects against is someone compromising your other credentials. So, although not recommended, you could post your login credentials on twitter and still nobody would be able to get into your account. An attacker hacking into your laptop/desktop/phone with access to install keyloggers and hijack connections is not really what it protects against.
>Generally the threat model that TOTP protects against is not someone breaking into your device.
And yet, in some realistic scenarios TOTP does protect me against that, if the second factor is on a different device, kind of like a poor man's yubikey.
Not if I'm on your device and hijacking your already-authenticated connection. I just need to be careful enough to do it in the background in such a way that you don't notice.
If my device got stolen I would remove the device from my accounts immediately. And without the second factor you wouldn't be able to do anything about it.
> How is it secure if the only thing an attacker needs is a single method of accessing a single device?
You should have two-factor for your password vault as well, and that TOTP is stored on a separate device.
In other words, you replace the model of having password+TOTP for every account, to having one password+TOTP for your password vault, and effectively treat that password vault as an authentication service for yourself.
If the password vault is on one device and the TOTP app on another then it would be harder for an attacker to get into both.
I have the same concerns about passkeys. How is it secure if the only thing an attacker needs is a single method of accessing a single device?