This is dangerously untrue; while totp is clearly not as secure as a hardware token, it's much more secure than just username/password. It requires the adversary to do more work, and also provides more clues for the server that something phishy is going on. It's also much easier to sell to users, especially for free-but-critical services like webmail. You're not going to convince everyone to buy a $30 hardware token to protect their free Gmail account; meet your users where they are.
By all means, move towards a hardware-based 2fa setup. But don't let that prevent intermediate steps to improve security along the way.
Your example is also deeply flawed as it can be used to steal auth tokens for 2fa sites, even if they use Fido. Mitm is game over.
By all means, move towards a hardware-based 2fa setup. But don't let that prevent intermediate steps to improve security along the way.
Your example is also deeply flawed as it can be used to steal auth tokens for 2fa sites, even if they use Fido. Mitm is game over.