alt Hacker NewsThat same rationale wouldn't support SMS as "something I have." iMessage and other solutions easily spread SMS into cloud and PC lands (ones that are more easily accessible than password managers.) More likely it's because of legacy and "good enough" reasons.
Personally I don't put TOTP tokens into my password manager and keep a dedicated app for it, just in case my password manager is pwned.
I'm not really defending it, I'm explaining the mentality. iMessage is probably closer to "something I have" but yeah, often not true for many American users.
I'd probably keep a TOTP app if I actually brought my cell with my everywhere but I really don't feel like it; if I'm heading to a cafe to work for a bit I might need to access something and can't be bothered to bring two devices.
Plus, people increasingly access stuff from cell phones, so it's not a guarantee of "something you have" anymore. And no shot we're convincing everyone to start carrying some kind of hardware token.
You have to remember that cybersecurity is driven by what is secure so much as what is compliant, and increasingly so.