TOTP would do well here for this case for a really simple path forward - but then having the student login themselves and the request be formally logged and allowed via not-their-computer would offer a bit more scaleability and auditability
Indeed: this is almost exactly the attack type TOTP was designed for.
The idea was that if someone intercepted your network traffic and captured your password, it wouldn't do them any good without also having your code generator.
It turns out that if you have a live MitM connection there are ways around that problem, but TOTP is still helpful against other attacks.
I agree that for this situation, it's probably better to focus on detection than bulletproof enforcement.
