If there is a widely accessible TOTP website (prototype: https://depperm.github.io/) that allows users to set a date and secret they can remember or a package that allows companies/developers to create their own domain/site specific tool, what possible security flaws are there beyond having information phished, key logged, or copied in person?
The date and secret would be stored encrypted on the database (and set in the same manner as a password), so when the OTP comes in a new token can be generated from the decrypted info and validated against the incoming one.
I am aware of the potential issue of client time being different than server time, but I believe there a viable solutions for this problem and I don't see it as a security flaw but a usability flaw