This is the most insightful post in the entire thread. Thank you for that.
Most of the discussion here is about TOTP, which at this point is like arguing about the beautiful plumage of the dead parrot. TOTP for professional 2FA is a walking corpse, pushing up the daisies, wouldn't squawk if you put 10K volts through it [1]. If you're a company seeking to secure your infrastructure all your employees and contractors should be using U2F hardware keys to access your network. Period, end of discussion. Same for admin access to any external SaaS dependencies - and you should be loudly complaining if your SaaS does not yet support hardware keys.
And if you're a startup and even a solo developer, start looking at supporting WebAuth so you're not caught with your pants down later, especially if you want to sell to other businesses.
Business to consumer TOTP is a more complicated issue. The future is clearly hardware keys, tied to devices like phones, but the support is not yet all there. So you're going to have to support TOTP for a while yet, since it's better then bare passwords. But you should be making plans to move to hardware U2F ASAP, and the earlier you do it the easier the transition will be later when you will have to mandate it for all your users for liability and CYA reasons.
The looming shadow over all this is account recovery, which is not a solved problem in Business to Consumer space (IT/HR can sort you out to get back on your corp network if you lose your keys). There are too many implementations and all of them have flaws. There's little consensus on how to do it and all of the recovery methods can be misused or abused. If you lose your house keys you go to a locksmith who's usually bonded (in the US) and generally not a crook. Who do you go to if you lose all you hardware keys?
And of course there's a cost to users to having multiple hardware keys, which at $25 a pop will not fly with consumers. These things need to be basically free (your phone) or comparable to the cost of your house keys (for backups) for mass consumer uptake.
Bottom line, U2F hardware keys are the future of authentication. Learn to love and support them.
Most of the discussion here is about TOTP, which at this point is like arguing about the beautiful plumage of the dead parrot. TOTP for professional 2FA is a walking corpse, pushing up the daisies, wouldn't squawk if you put 10K volts through it [1]. If you're a company seeking to secure your infrastructure all your employees and contractors should be using U2F hardware keys to access your network. Period, end of discussion. Same for admin access to any external SaaS dependencies - and you should be loudly complaining if your SaaS does not yet support hardware keys.
And if you're a startup and even a solo developer, start looking at supporting WebAuth so you're not caught with your pants down later, especially if you want to sell to other businesses.
Business to consumer TOTP is a more complicated issue. The future is clearly hardware keys, tied to devices like phones, but the support is not yet all there. So you're going to have to support TOTP for a while yet, since it's better then bare passwords. But you should be making plans to move to hardware U2F ASAP, and the earlier you do it the easier the transition will be later when you will have to mandate it for all your users for liability and CYA reasons.
The looming shadow over all this is account recovery, which is not a solved problem in Business to Consumer space (IT/HR can sort you out to get back on your corp network if you lose your keys). There are too many implementations and all of them have flaws. There's little consensus on how to do it and all of the recovery methods can be misused or abused. If you lose your house keys you go to a locksmith who's usually bonded (in the US) and generally not a crook. Who do you go to if you lose all you hardware keys?
And of course there's a cost to users to having multiple hardware keys, which at $25 a pop will not fly with consumers. These things need to be basically free (your phone) or comparable to the cost of your house keys (for backups) for mass consumer uptake.
Bottom line, U2F hardware keys are the future of authentication. Learn to love and support them.
[1] https://www.youtube.com/watch?v=vZw35VUBdzo