Not relevant to scenarios where you stash TOTP long term secrets in a password store, but note that WebAuthn / FIDO doesn't have this problem - the data you're keeping per user to authenticate with WebAuthn isn't a secret, it's not even personally identifiable, a bad guy could add their own credentials if they have write access, but they can't learn anything by examining yours.
