> Sure, a 40-0 roll being a 50 isn’t immediately obvious, but this is the only internally consistent method I can see here.
The author is trading the ability to intuitively read numbers for consistency, which isn't needed. I'd much rather remember the one special case - `00-0` being 100 - rather than the un-intuitive need to treat every `X0-0` as `(X+1)0`.
And in any case... consistency is whatever you choose and stick with.
Except you're still protected whenever a website gets breached and all their passwords are dumped. Sure it's still a single point of failure but at least it's with a company dedicated to password security.
standard TOTP MFA (which is what most password managers would offer in terms of MFA) uses a shared secret, which you would just dump from the same database you get the dumped passwords from.
unless you use asymmetric crypto e.g. in webauthn this doesn't benefit you at all.
Except that the seed for the TOTP is unique to each website, because the website generates it, as opposed to an user-supplied password that might get reused across website. The impact is limited to the already compromised website, which is pretty darn good.
