5 Jun
2016
5 Jun
'16
4:31 p.m.
Michael Ströder wrote:
Peter Lambrechtsen wrote:
do see there are multiple sites now support TOTP where the enrollment is seamless for end-users. Login to a web site, use Google Authenticator or Authy or any other myriad of TOTP clients to scan the QR code.
I really wonder why scanning the shared secret as QR code from a screen is considered an acceptable security practice. :-/
BTW: And hosted OTP services have access to all the shared secrets... Ciao, Michael.