Comment by anilakar
5 days ago
> HOTP/TOTP has a registration step, where you copy a server-generated secret to your phone through a QR-code-encoded otpauth:// URI
RFC4226 and RFC6238 do not specify anything but the actual algorithm(s), which is exactly what OP implemented.
And many actual implementations work the other way around. Which opens the user to credential compromise but is much better user experience (and only one possible with several kinds of hardware tokens).
[dead]