Completely forgot that localhost is a special case for secure contexts... Yeah that would either just not work at all or require some tomfoolery with dynamic subdomains which I would not be comfortable with. TOTP would be the go-to then, I think. I agree about separate vlan though, I have a dedicated port without internet that can only talk to web ui for this reason.
I haven't commonly experienced issues that would cause my router to lose access to ntp for extended periods of time, and in such cases you can just reset using physical button. Of course, TOTP should be optional to use so I am not too worried.
