alt Hacker NewsYou are supposed to store the password in a Secure Enclave, which you can only query for the current token value. You are also supposed to immediately destroy the QR code after importing it.
As I already mentioned, the fact that people often use it wrong undermines its security, but that doesn't change the intended outcome.
Replies
alt227 • yesterday at 10:04 AM
IMO if it is possible to use a system wrongly which undermines its security, it is already broken.
➕ show 5 replies
>You are supposed to store the password in a Secure Enclave,
That's at best a retcon, given given that the RFC was first published in 2008
>You are also supposed to immediately destroy the QR code after importing it.
Most TOTP apps support backups/restores, which defeats this.