Passwords are "something you know". TOTP is "something you know". It wanted to be "something you have", but it's not. Proof: I can put TOTP tokens into my password manager now. Anything that can go into my password manager is proved to be "something I know" by the fact I can put it into my password manager.

Incidentally, passkeys go into my password manager too. You can probably work the math from there.

(I'm heterodox on this matter, though. I don't believe in the existence of "things you are" and "things you have". I think it's all ultimately just "things you know" and it's all better analyzed in terms of the cost of knowing and proving knowledge, and that the 3-factor framework for authentication is wrong.)

It’s a second password - not a bad thing, but still vulnerable to many categories as attacks.