TOTP = Time Based One Time Password
2FA = Two Factor Authentication
Firstly, I use TOTP 2FA in a lot of places, mainly because it does add some security improvement. My contention is that is does little more than a longer password.
There is some chance that the segmented dual login process is more secure than simply a longer password because it creates a second wall to get over; a wall that you could not even arrive at without penetrating the first wall, so if you were trying to brute force your way through the second wall, you would have to keep passing through the first wall, which would slow you down considerably. There’s probably an argument to be made there, but I could just as easily create a two-password login system that uses two stationary passwords and achieve the same thing. In fact, a two-password login system might even be better.
So, here’s why I am calling it “silly”: The strength of 2FA is supposed to be the idea that you have a moving target. A short-lived password that lasts 30-60 seconds and then changes to something else, so it cannot really be brute forced. The problem is when you set up 2FA, they give you backup codes. Backup codes are a list of 5-10 2FA passwords that are frozen, non-moving targets. Essentially, it’s like protecting myself with a bullet proof vest and then painting bullseye on my forehead. Or like adding extra deadbolts to my front door while propping open my back door, just in case I lock myself out.
What you end up with is a list of multiple acceptable passwords. So, while there is a “time based one time” moving target that cannot be brute forced, you also have a list of 10 alternative stationary targets that can be brute forced. Again, 10! If I set up a two-password login system, there would only be one stationary target, and I could make it as long and as complex as I want. TOTP backup passwords are usually short and lack special characters, so they are not considered good passwords anyway.
Like I said in the beginning, having two medium thickness walls to penetrate could be better than one single thick wall… maybe. My probable conclusion is that 2FA is no more than extra characters on your password or a second login process. So, I use it, but I don’t think it’s any more secure than a good password.
Disclaimer: I’m no security expert. I’m just throwing logic at it. If you know I’m wrong, please tell me how.