I use google authenticator because I don’t trust Authy or literally any other company to keep the 2FA backups safe. But is it still ok to put all my trust in google authenticator and rely on it as the last resort in case all goes wrong? Is it not possible to somehow have access to my dynamic TOTP (That keeps changing every 10sec) and use the password, User ID that someone got from a breach to log into my twitch? I personally don’t know much about the underlying algorithms on a time based otp app, but I want to know if by installing a spyware or RAT or any other kind of malware, can someone just steal the shared seed phrase (The gibberish phrase that the websites give you to create these 2FA tokens in your authenticator apps)? As far as I know the G-Auth app stores the shared seed phrase locally and using the current time it gives me a new OTP every 10 seconds which can be used to login to my accounts using the password. If the G-Auth app doesn’t store it in an encrypted state then a spyware should be more than enough to steal the seed phrases and have these passwords accessed by anyone anywhere anytime. I mean even the companies like twitch who have these accounts also need to store the seed phrase locally on their servers so they can match and confirm the TOTP that I enter during login. Wouldn’t the attacker also gain access to these seed phrases during such a fatal breach (I mean their source codes were leaked, I don’t see why the seedphrases would be kept any more securely).
After thinking about all these possibilities, is buying a hardware key (Like Yubico or something) The only feasible option in case you’re super paranoid and want to do everything humanely possible to keep your digital life secure?