Having a TOTP app request camera permission isn't nefarious. In fact, I'd 100% expect it. Most of the time people import a TOTP secret from a QR code.

Microsoft Authenticator can be configured by an admin to provide geo-blocking for attempts, so once again not just some arbitrary demand. It's a selling point of the product.

For a few years now, there's also been the option on Android to avoid giving permanent permissions to most apps that request use of one; when an app requests a permission for the first time, I'm prompted to choose from the options "allow only this time", "allow only while using the app", or "allow always" (in addition to having the option to completely deny the permission of course, although in many cases an app might refuse to function if that's chosen). Scanning TOTP QR code seems like a really great use-case for the "allow only this time" option; presumably adding a new TOTP secret is a pretty infrequent reason for opening the app compared to getting a code from an existing one, so having to manually accept the request each time doesn't seem like it would be that much work.

I'm not familiar with with iOS to know if something similar to this exists for it, but I'd honestly be more surprised if there _isn't_.

It's not unreasonable for Microsoft Authenticator to request those permissions, but just because they can justify asking for them it doesn't nessesarily mean that you want Microsoft collecting that data, or any data, about what you're doing and when. One of the nice things about hardware tokens is that they keep third parties out of your business entirely.

Yeah, especially in that MS Authenticator is usually configured for Push mode as opposed to TOTP.

That said, I prefer simple/general TOTP implementations that I can just use with my password manager for my own convenience. But the permissions being asked for are completely reasonable for the actual use of these applications.