> the website would present a QR code, you would open the phone and scan the code, the phone would make a request signed with your key to a URL, and the website would authenticate you because by making this signed request you proved that "something you have" part is done.
WebAuthN essentially gives you that behavior, with the addition of making it MITM-resistant (which TOTP isn't). It even works cross-platform these days (I think both devices need Bluetooth as a proof-of-proximity, to make sure an adversary isn't relaying you a QR code).
Unfortunately both iOS and Android absolutely insist on syncing these credentials to the cloud, but both now have APIs that would allow a third party to provide a local-only backend.
WebAuthN essentially gives you that behavior, with the addition of making it MITM-resistant (which TOTP isn't). It even works cross-platform these days (I think both devices need Bluetooth as a proof-of-proximity, to make sure an adversary isn't relaying you a QR code).
Unfortunately both iOS and Android absolutely insist on syncing these credentials to the cloud, but both now have APIs that would allow a third party to provide a local-only backend.