I wanted to point out a very serious problem related to this post: Google will no longer simply accept totp as a verification but insists on sending you a notification to one of your devices.
Now I can't just use KeepassXC to get into Google anymore, I have to use my phone. The problem that the OP points out provides very real and poignant evidence that this is not only annoying but dangerous.
What is it that companies have against totp? It's starting to get obnoxious. I want to use it everywhere but some companies have stopped honoring it.
Yes!!! This has happened to me before. I entered my TOTP and then Google forced me to open YouTube on my phone. I didn't have YouTube (I deleted it), so I had to re-installed the YouTube app and sign in through that before I could login to whatever I was initially trying to do.
Unless something changed, you can enable SMS MFA, add TOTP as a secondary MFA option, then remove SMS to only have TOTP. I did this a couple years ago after someone explained it to me. It is stupid, tedious, and still requires giving up your phone number to Google, but it may help you as it did me.
I also use KeePassXC and have had phone issues in the past, so I hate relying on my phone for anything important (it's also just not as convenient as copy/pasting from KeePassXC).
This came up two months ago and I posted screenshots of a new 2FA setup and it very clearly allowed registering a TOTP or Yubikey without SMS. You just had to actually spend 10 seconds looking at the page and seeing there was a link for it.
Now I can't just use KeepassXC to get into Google anymore, I have to use my phone. The problem that the OP points out provides very real and poignant evidence that this is not only annoying but dangerous.
What is it that companies have against totp? It's starting to get obnoxious. I want to use it everywhere but some companies have stopped honoring it.