All the products supporting TOTP-based 2FA use one of the common authenticator apps such as Google Authenticator, Authy, etc.
I want to understand whether there are any security reasons behind why the implementations prefer to use the generic authenticator apps and not build the TOTP code-gen application themselves or even have it in the main app (the one that relies on TOTP for 2FA)?
I see a few concerns:
- Most of the TOTP use-cases are for login, so I understand the need for a different app to share the code, instead of having the code-generator within the parent app, which cannot be accessed - well - until one login. However, 2FA can have use-cases other than login
- Time-sync on the local device can be hard, so one can rely on apps like Google Authenticator to implement it rather than implement it themselves.
What are the other reasons? Are there any security concerns? I could not find any reference in the RFC specs.