>Most TOTP apps support backups/restores, which defeats this.
Citation needed?
Yubico authenticator doesn't (the secure enclave is the Yubikey).
I'd be very surprised if MS Authenticator and Authy (which I don't use but are the most popular apps that I know of) support such backups
> Citation needed? Yubico authenticator doesn't (the secure enclave is the Yubikey). I'd be very surprised if MS Authenticator and Authy (which I don't use but are the most popular apps that I know of) support such backups
Google Authenticator has an export option that I've used in the past, so that one does it for sure. Authy allows cloud-based synchronization in any case, so exporting seems quite possible. MS Authenticator also allow cloud sync, so probably exporting is not difficult.
Well I don't disagree that it might be possible to abuse cloud sync in some way to export the secrets, but it's not quite as egregious as just including the secrets by default in an app backup
Not perfect, but (imho) still better than SMS 2FA, mail 2FA, or lack of 2FA
Citation needed? Yubico authenticator doesn't (the secure enclave is the Yubikey). I'd be very surprised if MS Authenticator and Authy (which I don't use but are the most popular apps that I know of) support such backups