Assuming an attacker has complete control over your computer, and your phone is within bluetooth range, can he make the phone generate a token without user interaction?
I was assuming the user would have to click a button on the phone or something, but I couldn't see it in the video.
Assuming the attacker has complete control over your computer...
... the end user just lost, absent substantially more defense-in-depth on the provider side than just using TFA. TFA mostly helps you against "We lost credentials or a low-privilege session, let's prevent that from escalating to a high-privilege session." If your device is rooted, you'll eventually cough up a high-privilege session, either by passive monitoring or by something more clever like e.g. using your own computer as the MITM to ask you to provide a valid TFA to do something which really only requires a low-privilege session. Now the attacker has both factors. Game set match.
I was assuming the user would have to click a button on the phone or something, but I couldn't see it in the video.