I agree TOTP is much better than MFA prompts or calls/SMS. TOTP does protect against the first two attack methods the article lists.
However, it's not quite as good as a hardware key, because it's still vulnerable to the third method the article lists: "Calling the target, pretending to be part of the company, and telling the target they need to send an MFA request as part of a company process."
I generally consider TOTP "good enough" for a lot of applications, whereas prompts and SMS are not "good enough."
We take training constantly to not click our Duo notifications for people on the phone, etc.
Few months ago I couldn’t log into the vpn. Posted to the slack channel and got a slack asking my phone number. Ok so I know this guy is really my it and I’m asking for help. Then he sends me a freaking Duo notification! I say “I’m not supposed to click this” and he goes “well yeah but I’m IT”
However, it's not quite as good as a hardware key, because it's still vulnerable to the third method the article lists: "Calling the target, pretending to be part of the company, and telling the target they need to send an MFA request as part of a company process."
I generally consider TOTP "good enough" for a lot of applications, whereas prompts and SMS are not "good enough."