TOTP is a good solution as a second factor of authentication, but should not be the only factor. Additionally, TOTP requires pre-registering a secret with the server, and IndieAuth.com is not supposed to have a trust relationship with the people signing in.