alt Hacker NewsThe 30 seconds (+30-60 seconds to account for clock drift) are long enough to exploit.
TOTP is primarily a defense against password reuse (3rd party site gets popped and leaks passwords, thanks to TOTP my site isn't overrun by adversaries) and password stuffing attacks.
In every system I've worked on recent successful TOTPs have been cached as well to validate they're not used more than once.