Time based One Time Pad (TOTP) is the technical name for those changing numbers you might use to log in to sites and secure systems. Google Authenticator is possibly the best well known and has plugins to use in lots of places such as WordPress sites and even SSH. But recently some have started to use this as their only login, and this is actually highly insecure. Lets walk through why this adds so much security when used for two factor auth and why its very poor security for single factor ...

this explanation makes me think TOTP is just adding 6 digits to your password to make brute forcing harder, not really providing a second factor at all!

I think the distinction is that it's two separate passphrases. It's not a matter of brute forcing an n+6 length passphrase (n being the length of your passphrase), but brute forcing a passphrase of length n, then brute forcing a 6 digit number. Both have to happen within 30 seconds. I'm not sure on the actual math to compare the complexities of these two, though. :]

I think the distinction is that it's two separate passphrases. It's not a matter of brute forcing an n+6 length passphrase (n being the length of your passphrase), but brute forcing a passphrase of length n,

thenbrute forcing a 6 digit number. Both have to happen within 30 seconds. I'm not sure on the actual math to compare the complexities of these two, though. :]