I've seen a number of 2 step website authentication methods out there. Some include two passwords, HOTP/TOTP, Yubikey, SMS to a phone number, etc. However, it seems like all of these systems rely on your computer or main device to not be compromised.
To be specific, let me refer specifically to TOTP. Here is a typical TOTP website flow for a site:
- You type in your password into your computer
- You open your 2FA app (e.g., FreeOTP auth, Google auth)
- You type in the current TOTP token into your computer
If an attacker had a keylogger or CPU logger on your computer, can they not access your account? By step 3, assuming your computer is compromised, they have both your password and your current TOTP token. I do understand that the attacker can only access your account once because the TOTP token would expire after 30 seconds.
However, what if the typical TOTP website flow was the following:
- You type in your password into your computer
- You open your 2FA app (e.g., FreeOTP auth, Google auth)
- You send the current TOTP token directly from your phone to the server of the site you were trying to log into from your computer
I don't see how it would be that much more effort on the side of the site's server. I assume it would just need an endpoint that listens for incoming TOTP tokens that get sent with a username to identify which login the incoming TOTP token is for. Now an attacker would have to install a keylogger on your computer (or main device) and your phone (or second device) to get access to your account.
In my view, with this proposed setup an ultimate security mechanism would be a computer + a specific hardware device that is capable of sending TOTP keys to a server (perhaps like a Bitcoin Trezor but instead of showing a bitcoin address, it would show a domain name or ip address for confirmation). But as far as I know, I do not see a push for using two separate entities to do website authentication. Is there a reason for this?