[hansy]

Using a separate device (yubikey, mobile phone, etc) is always recommended, but this is a bit more secure than meets the eye. Someone would have to get access to your Slack account to view the codes, and to do that, they'd have to first get access to your work email (because Slack is password-less and emails auth links to you).

[weirdo28]

To do this semi-securly (because slack accepts regular passwords) you'd need validate the user's own mfa before handing out these mfa creds to prevent a slack account compromise from escalating... but slack can't do that unless there was an extension in the plugin somehow to prompt for an otp code.

[akerl_]

Slack happily uses passwords; the “magic links” via email are an additive feature.

[hansy]

Oof you're 100% right; definitely missed this.