1. While a password manager should associate a TOTP seed with a domain and only fill codes on that domain, the codes are still visible to you. A convincing phishing attack might trick you into manually entering a code into a fake page. Passkeys don't allow this.
2. TOTP codes are derived from a seed shared between the client and server, so an attacker who gets read access to the server's database could generate your codes. With passkeys, the server can only validate a signature, not generate them.
> A convincing phishing attack might trick you into manually entering a code into a fake page.
Sadly, for a far too large population of users, a convincing phishing attack will be successful, even if the tech. is flashing ten different warnings of "this is a phishing attack page" at the same time. You can't "technology" around human nature for a subset of the population.
1. While a password manager should associate a TOTP seed with a domain and only fill codes on that domain, the codes are still visible to you. A convincing phishing attack might trick you into manually entering a code into a fake page. Passkeys don't allow this.
2. TOTP codes are derived from a seed shared between the client and server, so an attacker who gets read access to the server's database could generate your codes. With passkeys, the server can only validate a signature, not generate them.