The Main Risk
An online authenticator calculates codes from a secret. The risk is not the word "online" by itself; it is who can access the Base32 token. If the token leaks, someone else can generate fresh one-time codes.
A safer process starts with access control. The secret should not appear in public pages, tickets, repositories, screenshots, or analytics. Direct links that contain tokens must be treated as sensitive.
When Online Use Is Reasonable
2FA online is useful for support, test accounts, temporary access, and internal runbooks. In those workflows, the team can control documentation, permissions, and token lifetime.
For permanent personal accounts, Google Authenticator, Microsoft Authenticator, or another app is often better. It reduces the number of places where the secret appears in plain text.
Practical Controls
Store recovery codes separately from the TOTP secret. Grant access only to people who need it. Review the user list regularly and rotate tokens after departures, contractor changes, or suspected leaks.
If a secret must be shared, use a protected channel and delete temporary messages after setup. Do not turn a Base32 token into an ordinary note.