TOTP seeds are only useful if you have the account they are associated with. How would the 2fa app by some random guy discern the identity associated with the seed?
Isn't one issue the display of the codes on the lockscreen? If viewing notification contents there is enabled, it would be problematic if it popped up while you were away from your device to say "Your Google 2fa is 100000 right now". I get that the iOS default requires unlock to view the actual content of the notification, but still, that seems less than perfect from a security standpoint.
Notifications say nothing about the account - just that you got this cool number on the app. And yeah you need the device unlocked to read the notification anyway
But yeah security concerns with it are overblown, the more realistic concern is trusting me personally vs a name brand!
To add an item, you scan a QR code. That QR code usually contains the name of the service and your username. For example, the format of Github's QR code is:
What? The same way that when you look at the 2fa codes in your app you know which account they are associated with. The qr codes people typically scan for that do not just contain the seed itself but metadata for the account associated with it like email address or account name.
I had a similar concern when I used a random app for TOTP on my garmin watch, but was relieved when I considered the point I raised. To add codes to the watch you have to paste a seed into an app, and it couldn't be triggered from a QR code. I didn't realize the scan for 2fa had so much info.
Like do you really want to entrust your TOTP secrets to a random app by a guy you've never met just to get some fun push notifications?