☭
TOTP credentials are also based on a shared secret known to both the client and the server, creating multiple locations from which a secret can be stolen. An attacker with access to this shared secret could generate new, valid TOTP codes at will.
Then what's the point? Are they just hoping that the password (if the user uses a password manager) is stored in a different place than the 2FA secret and therefore both don't get stolen at once?
@aescling Having to go find a second device just so that I can log into Mastodon (or any web site) seems extremely inconvenient
I can understand that it may be important for website that controls your money, such as online banking, but Mastodon?