is sharing the same TOTP across multiple servers any less secure?

Solution 1:

The problem is that as @HBruijn pointed out, that the TOTP value you used to login to one service can be used by the attacker to login to another service. And this within a time windows from maybe two minutes. Although your timestep might only be 30sec, the RFC specifies that the validating service should search the OTP value back and forth in time. This is recommended due to the drift of the clock. https://www.rfc-editor.org/rfc/rfc6238#section-6

The other point is, that your whole system is only as secure as the weekest part. If any of the systems/databases looses the OTP secret, all systems are compromized.

As you finished your question you should think about using a centralized system, which stores the secrets and performs the validation. This way there is no possibility of replay attacks and you only have to secure the OTP secret in one place.

You might want to take a look at privacyIDEA, which exactly does this. It is an authentication system, which manages authentication devices like TOTP tokens or Apps for users centrally. All applications authenticate against this service. (Disclaimer: I am core developer of privacyIDEA)

The problem with this is, that all connected applications need to be connected, i.e. each application must be able to talk to privacyIDEA. For this the application must be able to either act as a RADIUS client or talk to the authentication REST API. There are several plugins out the for many different applications like OTRS, ownCloud, Wordpress, dokuwiki, Typo3...