Maybe, however note that there is a serious inclusivity issue here; hardware tokens are far from free of cost. I think suggesting that one can only contribute to nixpkgs safely if one owns such a token is a bit tone deaf when a contributor is complaining about their lack of phone meaning they cannot contribute.
Also consider the threat model here; the point of 2FA is to require both factors for a login. Assuming you don’t store your passwords as plain text on the device you use to sign in, these are obviously still two factors - a knowledge factor (your encryption password) and an ownership factor (the device used to store your TOTP key).
This is weakened by malware being able to exploit a single device, and hence extracting your knowledge and ownership factor via keyloggers, but as @7c6f434c says, once you have that level of access to a device you also have access to browser session storage and therefore free-reign over account access anyway, so your suggested approach doesn’t add additional protection here.
Having a third device is great, but I don’t think it offers any direct protection against a threat that using TOTP on an end user device doesn’t, specifically for systems that use session cookies such as GitHub.
For other systems hardware tokens are an obvious plus (e.g., client certificates for SSH access), and they are more resistant to malware, but under reasonable assumptions for web access TOTP on a laptop should perform similarly against a dedicated attack, and completely stop password phishing and such.
This is false. My phone also happily runs arbitrary applications, at least to the extent my computers do. Honestly it’s easier there than on NixOS, I need to write a whole package almost every time I want to “just run something”. On my phone I just need to tick a box saying “allow apps from this location”.
Besides that, claiming Apple or Google vet applications makes their platform safe is definitely a fallacy. The mobile app stores have been known to distribute malware, in many wondrous ways, from taken-over ad delivery networks injecting malware (and executing it because clearly they’re designed for maximum security, not profit) to simply missed viruses in submitted binaries built on malware-ridden eclipse instances. This isn’t an uncommon thing on rarely used apps either, Wechat and Twitter at least have both been compromised in the past, and are well among the most used.
Neither is perfect, of course, I rely on open source contributors and software that I also can’t perfectly track, all of which could try to do evil, so arguably it’s inherently broken. Nixpkgs is at least more strict about the build processes than either of Google or Apple, but ultimately trust is a difficult topic.
Personally, I trust this particular instance of the software delivery mess a bit more, especially because my computers have declarative, reproducible configurations that I can manage - I feel that I can know my attack surface here. Not on my phone.