On Sun, Oct 23, 2022 at 7:37 PM Kevin Kofler <kevin.kof...@chello.at> wrote:
> * what the point of two-factor is at all considering that you have no way to > prevent the developer from storing the password and the OTP generator on the > same device. The point is to add an authentication factor that isn't of any value if it is accidentally shared, phished, or intercepted. The window of opportunity for the reuse of a TOTP code is typically only 30 seconds, and it's rather time intensive to derive the secret key from previous codes for the account. You only need to see the secret key during initial setup, so future logins aren't vulnerable to shoulder surfing. Reuse of the secret key is unlikely, because services typically only use the ones they generate. Having more than one device able to authenticate is mostly a matter of convenience, especially in the event of a hardware failure. Someone having access to your single device sufficient to capture the password and the secret key for the account is - hopefully - unlikely.