While what you wrote is true, there are advantages for this being part of the cryptographic protocol. Namely with TOTP 6-digit codes the user can shoot themselves in the foot by giving away the code to some site or somebody (think of it like "oh the auto-2fa isn't working, I should just punch in the code). Of course you could hide the code from the user. There is also some complexity about which sites should be allowed to use the 2FA code (i.e. accounts.google.com vs my.google.com) and the U2F protocol outlines how this all works.
If the browser is compromised then the user is totally compromised anyways (steal the sessions after you login).
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
While what you wrote is true, there are advantages for this being part of the cryptographic protocol. Namely with TOTP 6-digit codes the user can shoot themselves in the foot by giving away the code to some site or somebody (think of it like "oh the auto-2fa isn't working, I should just punch in the code). Of course you could hide the code from the user. There is also some complexity about which sites should be allowed to use the 2FA code (i.e. accounts.google.com vs my.google.com) and the U2F protocol outlines how this all works.
If the browser is compromised then the user is totally compromised anyways (steal the sessions after you login).