I already mentioned this in another thread, but this showcases why TOTP is pretty much a joke. A good 2FA system should not be prone to phishing. The main problem is that 2FA based on TOTP does not actually communicate with the password manager or 2FA app, in other words it doesn't communicate with the PC. If this was a requirement, then phishing wouldn't work, at least not via fake websites, because only the real website would be able to ask for the OTP (one time password).
