[ayrx]

Uhm... The 2FA used in Google Authenticator does use a shared secret. The algorithm is TOTP (RFC 6238). It's simply a HMAC applied on the current unix timestamp with the shared secret as a key and truncated to 6,7,8 digits depending on the implementation.

[zanny]

My point is that you are taking what should work behind the scenes (common shared secret) and forcing a user interaction (typing or copying out a code) because synchronizing that secret across user accounts on disparate devices is considered "too hard" a problem, even though like I said the browser can be a perfectly good commonality and Persona was on the brink of fantastic innovation on that front.