[charcircuit]

That same ability makes it possible for 2FA apps to exist since the secrets can't be copied, turning the factor into something you know instead of something you have. Additionally just because someone is using a device that doesn't mean that the current user is the owner of the device.

[kmeisthax]

Google Authenticator lets you export your entire set of secrets as a QR code. In fact, you can even store them on Google's servers. Though I have no clue why you would do this instead of just printing out the QR code and storing it in a lockbox...

Furthermore nothing prevents you from just taking pictures of the individual enrollment keys and printing those out either.

If you want TOTP 2FA that actually follows a one key per device policy you need to buy hardware tokens with some kind of out-of-band keying mechanism and enroll those. Then your problem changes from "how to stop people from copying my 2FA tokens" to "how to not get locked out of my account when my 2FA key device breaks."

[Dylan16807]

2FA apps will never be perfect and allowing careful access is not going to undermine them.

And the alternative is taking a picture of the QR code.

> Additionally just because someone is using a device that doesn't mean that the current user is the owner of the device.

Yeah that's why you make the owner authenticate. It would be ridiculous to use that as a reason to make escalation impossible.