How is it not a second factor ?

It's something else that is unrelated to your password that you have to provide in order to log in, is that not the definition of a factor of authentication ?

Because it's phishable ?

Regardless, TOTP is way better than passwords alone, or SMS as another factor. It's also the only one that can be deployed at scale that is supportable.

I hope Passkeys will become deployable, but the last few times we tried public key auth over web, it hasn't really work out all that well. However nobody but the DOD has been able to support it, and they only support it by brute force. It's not really deployable by anyone else. TLS client certs were never even tried seriously the UX was never remotely good enough. I fear Passkeys will be basically the same problem. UX is fine on the happy path, but the unhappy path is littered with broken at every turn.