> Hardware keys and passkeys are better because they can't be phished.
I think you're missing the point I made -- that because of the way sites are currently set up, your password can be phished even if you have a passkey, and your password is good enough to get you in.
So given that that is the current state of things, isn't TOTP better because it prevents this? Because at least the TOTP won't let an adversary get in a second time.
Sorry, I overlooked part of your post earlier - I'm tired. As I previously alluded to, I don't use passkeys due to concerns about their implementation. Whether passkeys are better than TOTP really depends on the individual user's circumstances.
Which service is it? Do they ever use that password?
If I were used to signing in with a passkey, I'd find a password prompt suspicious. While the average person might not, it's also possible they would have forgotten the password entirely. There are other services that force TOTP even with hardware keys enrolled. Technically they can be phished, but it would not be successful in all cases.
Unfortunately, varying behavior and support for multifactor protocols (along with risky reset flows) makes it hard to give blanket recommendations.
I think you're missing the point I made -- that because of the way sites are currently set up, your password can be phished even if you have a passkey, and your password is good enough to get you in.
So given that that is the current state of things, isn't TOTP better because it prevents this? Because at least the TOTP won't let an adversary get in a second time.