It is not using TOTP. It is using Microsoft Authenticator notifications. The only way to receive the notifications is from the Google Play services program, which receives the notification from Google, then spawns the notification in the Microsoft Authenticator app, which can unlock the login when clicked. Or, the corresponding iPhone app can also be used, or so I’m told.
I investigated what it would be like to reverse engineer the notification receiver system, but what I found is that the code is most likely intentionally designed for this kind of reverse engineering to fail. For example, the Google notification property map received to the Android device contains within itself the URL for the Microsoft server to post back to. So, reading the source code alone is insufficient for determining how to mimic an “approval” for the “notification.”
Edit: So, if it was not clear, the process is not TOTP and instead requires an internet connection to both Google and Microsoft.
No. The entire purpose of my solution was that running Waydroid on a spare librem 5 to run the app was already too slow to start up. Similarly, starting an Android device from a powered off state would be a waste of time. The purpose of this system is to log in to work in the morning. Rather than a 30 minute endeavor, it is preferable for it to be an instantaneous approval of the login attempt.
Although Microsoft Authenticator app is capable of the TOTP function, my company turned it off and required that the only permitted manner to log in is with the Push Notification to Unlock, which is incompatible with TOTP and only works through the app. So, all of the things that you are describing, while true in some cases, are not applicable in the original situation for which this thread was created.