The problem with multi-factor authentication is its overuse. I would also hate physical keys if every single door I came across required me to unlock it.
When you already have so many logins that you start using a password manager, your passwords are already high entropy enough that they don't get brute forced and a leak doesn't compromise your other accounts. TOTP adds challenge response to this, so it is actually a bit better than a password since an interception cannot be reused, but they are both still shared secret and in both cases need to be stored in some other device (password manager vs TOTP code manager). For most logins that don't require real security I just use my password manager for both so it is just a disjoint shared secret approach. Nevertheless, TOTP "increases security" for websites (but not my security specifically) because the shared secret is generated by the website owner so is definitely unique and not reused unlike many other user's passwords.
I expect the majority of people are storing their TOTP secrets on the device they are logging in from (their mobile device) and so have single points of vulnerability. So multifactor auth is typically just a disjoint shared secret with a partial challenge. The extra security is just created because the website forces true random shared secret. We could have all this with a single factor.
Why couldn't we combine the two? Make TOTP based on a higher-entropy secret with longer generated codes the only factor. This would prevent replay attacks of entered passwords, thus protecting against phishing, and ensure users have safe secrets (since the site generates the secret).
When you already have so many logins that you start using a password manager, your passwords are already high entropy enough that they don't get brute forced and a leak doesn't compromise your other accounts. TOTP adds challenge response to this, so it is actually a bit better than a password since an interception cannot be reused, but they are both still shared secret and in both cases need to be stored in some other device (password manager vs TOTP code manager). For most logins that don't require real security I just use my password manager for both so it is just a disjoint shared secret approach. Nevertheless, TOTP "increases security" for websites (but not my security specifically) because the shared secret is generated by the website owner so is definitely unique and not reused unlike many other user's passwords.
I expect the majority of people are storing their TOTP secrets on the device they are logging in from (their mobile device) and so have single points of vulnerability. So multifactor auth is typically just a disjoint shared secret with a partial challenge. The extra security is just created because the website forces true random shared secret. We could have all this with a single factor.