Wait, they suggest saving photos of the QR codes of your TOTP secrets? That seems to weaken the concept by making it easy for an attacker 1) to identify secrets and the sites they’re associated with, and 2) to retrieve them (in plaintext, no less) with no more than access to a device’s photo roll.
I thought the idea was that we’d write the secret once to an arbitrary number of primary and backup devices, then destroy it so it can’t be stolen as easily. Although I guess password managers save TOTP secrets alongside the password factor these days too.
Does the “the secret itself is not phishable” aspect of TOTP just not actually matter in practice as much as the rapid expiration and frustrating replay attacks / on-the-wire sort of secret interception?
I thought the idea was that we’d write the secret once to an arbitrary number of primary and backup devices, then destroy it so it can’t be stolen as easily. Although I guess password managers save TOTP secrets alongside the password factor these days too.
Does the “the secret itself is not phishable” aspect of TOTP just not actually matter in practice as much as the rapid expiration and frustrating replay attacks / on-the-wire sort of secret interception?