Update: it's actually hmac(secret, time). I'll leave the post as-is, in case someone is ever looking for the hash(secret+time) case (for which I provided some reasoning at least), but for TOTP tokens, this question is a duplicate of Why is HMAC-SHA1 still considered secure?.
TOTP tokens are basically hash(secret+time). Since you don't know the secret, you can't use them as prefix to compute the random "near-collision block pair", so an attack like Shattered won't work here (even if the time matched this random block pair, which it also won't).
Am I correct in thinking that Shattered does not apply to TOTP?
Are there any other attacks that do?
Of course, the recommendation is always to move away from SHA-1, but the question is whether this is a direct vulnerability that a well-funded attacker could exploit or (as far as is public knowledge) just hardening advice.
