The core issue with the current implementation of TOTP (Time-based One-Time Password) is its primary focus on authenticating only one side of the equation: the user to the application. This leaves a significant vulnerability, especially when considering the potential threats posed by phishing and man-in-the-middle attacks. What's missing here is the recognition of the equally crucial aspect of authentication: verifying the legitimacy of the service or application to the user.
TOTP2 (TOTP "duo") introduces two one-time codes. One code is intended to confirm the application's authenticity to the user, while the other code is designed to validate the user's identity to the application. This approach offers a more comprehensive and robust security strategy, requiring both parties involved in the authentication process to establish their authenticity.
The IETF RFC draft is at https://datatracker.ietf.org/doc/draft-strbac-totp2/