alt Hacker NewsTOTP isn't phishing-resistant, which is the whole ballgame. I've had the job of working on authentication for highly-targeted mass-market systems, and code-generators basically don't work: they raise the bar on phishing attacks to a level phishers still easily meet.
TOTP and SMS 2FA prevent credential stuffing attacks, which is very valuable considering how bad people are with password reuse and how many breaches with plaintext or weakly hashed passwords there have been.