Allow me to check my understanding - you believe that proving that you have two physical devices in your custody is a more secure solution than proving that you have one physical device in your custody, and that you know a secret. You believe this because the secret is low-entropy, people could choose it poorly, and the secret could be deduced from physical evidence like fingerprints on a screen.
a 2FA code is infinitely more secure than the you using your year of birth or some other insecure pin
This is comparing apples to oranges.
At the risk of repeating myself ad nauseum, you would then have two factors from the same category (something you own) that could be stolen. This would not be "infinitely more secure". Having factors from different categories, one of which has little physical existence outside of the connections between neurons in your brain, would be more secure.
A TOTP is
simply the mechanism to prove you own a physical widget, which as a couple of us have pointed out now includes such mundane solutions such as keys. Its entropy and timed nature do nothing to mitigate the fact that if you own the widget, you can authenticate. It provides absolutely zero benefit beyond a physical key, and only downsides in reduced convenience. Requiring two keys would be just as secure as using a TOTP, but with less faff.
I can imagine that some confusion is arising owing to the
means of proving you have the widget being similar to proving that you know the secret (4-digit character entry), but they're achieving totally different ends.
Yes, requiring a second factor proving custody of a physical item is more secure than
only requiring a low-entropy secret. But we already have that second factor - it's the key that we all already own.
The degree of entropy in the secret-you-know is important, but it is also a compromise with convenience. At one guess a second, a 4-digit PIN would take up to 2 hours and 47 minutes crack. That's a long time for someone to be sat in your car undetected.
There's a reason why companies force you to have longer passcodes on your work phone because 4 digits is not secure.
Yes and that reason is, unlike unlocking a car, logging into a phone
does not require a second factor to authenticate. Hence in the absence of the second factor of a different nature, the entropy of the secret is much more important. There's a reason why in most cases (laptops) companies force you to have secrets and physical devices, and not multiple physical devices.
If my refutation of the central point isn't landing, then a call to authority might be: if TOTPs were such a good idea in this instance, why would Tesla's security professionals not have implemented it when they rolled out 2FA for online login? Why has no-one in (my limited knowledge of) automotive history required presentation of two physical devices to start the car? Why don't HSBC, NatWest, BNP Paribas, JPMC, Santander, Google, or others require multiple physical factors to for their workers to authenticate? Why when Google have multiple two-factor methods to authenticate end-users (ie you can have a TOTP device registered, and a mobile phone number to receive calls/texts) don't they allow you to require
both and not just choose one?
If your concern is PIN entropy then a simpler solution would be allowing characters from the western alphabet as well as numbers. It wouldn't be infinitely more secure, but approximately 172 times more secure if we consider the amount of time to brute-force it, meaning you could leave someone guessing your PIN once per second non-stop for 19 days before they'd definitely have guessed it.
). I use a Yubikey for U2F, GPG signing of Git commits, SSH auth, and outputting my 1Password secret key. We used to hot-desk and pair-program at work, so being able to sign in to all the things on any machine, and also cryptographically prove the author of my code, was quite handy.
), but assuming no physical traces are left then it can't be stolen without either surveillance or your knowledge.
