Is there a reason besides inertia why most applications that require authentication use a secret like a password for the primary factor, rather than using a OTP app?
For context about me: I am pretty new to programming, learning web application development. So maybe this would be a Very Bad Idea, and I just don't know why yet!
But it seems to me that some advantages of using a OTP would be:
1. It would be easier to temporarily grant someone else access to your account - as long as the app gives you a way to log out all other sessions and reauthenticate
2. It would remove the burden of remembering/managing unique passwords from the user
Back in the old days you used to get single use passwords for secure system. This creates a similar problem, where loosing the sheet meant you needed new passwords.
Things you have are generally less convenient than things you know - which is why they're typically the 2nd factor, not the first factor.
[1] I'm assuming you need something to tell you the OTP - that you haven't memorized them all.
So, you lock out IP addresses. The attackers move to using a botnet.
So, you lock out specific accesses to an account. The attackers can't move forward now but they can quite easily and cheaply deny access to a given account indefinitely.
So when implemented correctly, with a strong enough password policy and a way to introduce delay, i.e. with bcrypt2 and IP address locking, etc, 2FA makes it more difficult. The time to access is considerably longer for an attacker.
Of course, you've got similar problems with a password and a second TOTP but you've increased the difficulty level massively as the attacker must now have a working password before they can work on the 2FA dialog. At this point, you can easily spot suspicious behaviour and warn users, etc.