Ok, except that the secret is the TOTP generator. Anyone that has the secret can generate any TOTP for any point in time, and own your 2FA. An attacker needs nothing else. So if the secrets are stored online - ever - it's nullifying the "offline" claim.
Does anyone know a 2FA app that only stores secrets offline? Eg without any networking code; as it's not only not required, but IMO is required NOT to be there for it to actually functionally be "two-factor authentication", and therefore locally-isolated.
iCloud is the worst choice of a place to store them as it's the same place the other factor may be routinely saved / backed-up, especially if "across devices".
You’re not wrong, a hardware keychain gizmo with a camera for scanning QRs would be the ultimate actually-secure 2FA device (at least against remote attackers). Personally though I view standards-based 2FA more as a tool to reclaim my login abilities from the insane zoo of “let us email or text you a code” confirmations various sites force on you because they assume you must use a stupid and reused password so that’s not enough now.
When I store my passwords and their 2FA secrets in my KeePass db, I’m arrogantly taking for granted that I won’t ever leak my whole secrets database, which is a risk I’m willing to take because I know what I’m doing (and don’t have any secrets valuable to state-level actors). I appreciate having the option to make this call so I don’t have to drop in to my email just to log into frigging Patreon.
Does anyone know a 2FA app that only stores secrets offline? Eg without any networking code; as it's not only not required, but IMO is required NOT to be there for it to actually functionally be "two-factor authentication", and therefore locally-isolated.
iCloud is the worst choice of a place to store them as it's the same place the other factor may be routinely saved / backed-up, especially if "across devices".