Big oof.

A master password shipped in client-side JS.

A fake OTP authentication process - "the server sends the OTP back...and the [client code] compares what you typed against that value locally before letting you through"

And it gets worse after that.