Reminds me of Google Authenticator, hiding the private key (used for generating the one time codes) by hand-waving and wishful thinking. Most users probably don't realize that there is a shared key -- and are left wondering why there's no sane way to import/export keys/accounts (there's of course no good reason for this other than dumbing down/simplifying the UI/UX: I suppose opinions are divided on whether or not this is a good thing). When you don't understand that there's a shared secret, you don't realize that that secret could be backed up/leaked from the server side -- without you knowing. Pretending that it's a HSM type deal and hiding the complexity of key management obscures some pretty obvious attack vectors from the users.

All that said, (T)OTPs have some advantages versus traditional "provably shared-secret, by way of salt+hash+stretching" of traditional passwords.