Comment by crote

7 hours ago

You are supposed to store the password in a Secure Enclave, which you can only query for the current token value. You are also supposed to immediately destroy the QR code after importing it.

As I already mentioned, the fact that people often use it wrong undermines its security, but that doesn't change the intended outcome.

9 comments

crote

alt227 7 hours ago

IMO if it is possible to use a system wrongly which undermines its security, it is already broken.

lmz 7 hours ago

This is how we get sites that block software tokens and only allow a whitelist of hardware based tokens.
lazide 7 hours ago
There is no system which cannot be used wrongly in a way which undermines it’s security.
- alt227 2 hours ago
  
  OP:
  > the fact that people often use it wrong undermines its security
  
  2 replies →
Jean-Papoulos 6 hours ago
I can chuck a brick at your head. Clearly the brick is broken
- alt227 2 hours ago
  
  Breaks are meant to be built with, not thrown at heads.
  If you build with the brick properly you will have a great wall, if you dont then it will fall down. Pretty simple.
justincormack 4 hours ago

I mean, TOTP is one of the earliest 2 factor systems, and works least well.