[bcoates]

Does obtaining the original Google authenticator QR code actually let you impersonate the authenticator? I was hoping it was a one-time shared secret only used for the authenticator to identify itself to the server for bootstrapping purposes and that a used QR code would be worthless.

[thirsteh]

Yes it does. The QR code just contains the TOTP key and title.

Send it to the email account that will be protected by two-factor authentication using the key, and it won't really matter.

[chimeracoder]

> Send it to the email account that will be protected by two-factor authentication using the key, and it won't really matter.

Unless, of course, the email is intercepted in transit.

If your email is being sent in the clear, it doesn't matter whether or not you use SSL and/or two-factor authentication to connect to your server - the email has been compromised long before.

[thirsteh]

>> Send it to the email account that will be protected by two-factor authentication using the key, and it won't really matter.

> Unless, of course, the email is intercepted in transit.

> If your email is being sent in the clear, it doesn't matter whether or not you use SSL and/or two-factor authentication to connect to your server - the email has been compromised long before.

This isn't really as big of an issue as people make it out to be. TLS is fairly prevalent for MTAs.

Anyway, I assumed this was describing a scenario where a sysadmin/IT guy sends a QR code to another employee, in which case it is all internal.

[sp332]

I like the setup since it doesn't require my phone or other device to be connected to the internet. Also, "bootstrapping" would be problematic since I have 2 or 3 devices that I keep my codes on. I switch between them often and I don't always carry the same device with me all the time.