Comment by crote

Ah, of course! I did initially consider DH as example, but discounted it because of the need for the server to store the plaintext password - the fact that you can just hash it first completely slipped my mind.

I completely agree about phishing being the main attack vector. However, I do think malware is a not-too-distant second - which makes having a single device contain both your password and TOTP secret a Really Bad Idea. Having not-perfectly-secure TOTP codes only your phone and a password manager DB only on your desktop is a pretty decent solution for that.