[1cvmask]

There are different methods of 2FA like scanning encrypted barcodes that show that you require intent.

It seems that the Duo core app is a variant of HOTP?

What's the name of the phishing group and any details on them? There was a Defcon or Black Hat video where they would constantly send a push approval to the mobile which was not PIN protected and most people would click on it. Don't remember which OTP generator it was.