[pja]

The system is setup not to reveal the secret once it’s set. Technical users can root their phones to extract the secret of course, but most users wont be willing to go that far.

You can of course set up a new secret & share it with multiple phones at that point. Not sure there’s much you can do to stop that using a software 2FA implementation. If it really matters, then a hardware token is the way to go.

[ce4]

The 2FA secret is just a URI, nowadays embedded in a QR code and easily photographed or scanned using any of the 2d barcode scanner apps.

[supergreg]

Then generate a session id and invalidate the URI after first use.

[pja]

It’s not a URI. The google-authenticator pam library generates an image that encodes the secret which gets echoed to the terminal as a QR-code. No internet access required - just a camera on your phone to image the code.

If you can take a photo of the code & re-use it, then you can initialise multiple phones with the same secret.