1) User inputs username and pw into spurious site.
2) Spurious site prompts for the user's TOTP token.
3) Spurious site proceeds to immediately log in to the real site w/ username, pw, and valid TOTP token.
4) Bad guys get an HTTP session cookie which for many sites lasts practically indefinitely.
1) User inputs username and pw into spurious site.
2) Spurious site prompts for the user's TOTP token.
3) Spurious site proceeds to immediately log in to the real site w/ username, pw, and valid TOTP token.
4) Bad guys get an HTTP session cookie which for many sites lasts practically indefinitely.