[ce4]

The 2FA secret is just a URI, nowadays embedded in a QR code and easily photographed or scanned using any of the 2d barcode scanner apps.

[supergreg]

Then generate a session id and invalidate the URI after first use.

[pja]

It’s not a URI. The google-authenticator pam library generates an image that encodes the secret which gets echoed to the terminal as a QR-code. No internet access required - just a camera on your phone to image the code.

If you can take a photo of the code & re-use it, then you can initialise multiple phones with the same secret.