[thirsteh]

>> Send it to the email account that will be protected by two-factor authentication using the key, and it won't really matter.

> Unless, of course, the email is intercepted in transit.

> If your email is being sent in the clear, it doesn't matter whether or not you use SSL and/or two-factor authentication to connect to your server - the email has been compromised long before.

This isn't really as big of an issue as people make it out to be. TLS is fairly prevalent for MTAs.

Anyway, I assumed this was describing a scenario where a sysadmin/IT guy sends a QR code to another employee, in which case it is all internal.