> backups possible for TOTP secrets:
>
> 1. Backups that are specific to the app that made them
I never thought about that. I always backup the key before I first use it, when it's shown for the very first time. Heck, I've written a CLI / text TOTP app (using some Java TOTP library) for my own use (fully offline / airgapped / paasword protected / showing six codes at once for the same code [+1 hour / now / -1 hour and previous code / current code / next code] and which also shows a public/commonly used example code, which is convenient to diagnose sync/clock issues).
> But this tool [1] knows how to take the information in that QR code and decode it and split it into the individual secrets for each site.
Like JBSW Y3DP EHPK 3PXP ?
In my experience every site that shows the QR code offers the possibility to see that secret (and those that don't are misleading users into thinking it's more complicated than it is).
A TOTP secret is just that: 16 or 24 or whatever characters. The QR is just an encoding of these characters. The "issuer" serves no role other than autofill the name of the service for you (and you're not forced to use the issued nameL you can use any name you want).
I never ever scanned a QR code to configure 2FA / TOTP for any site. I write the 2FA code down, then encode what I've written down (in at least two devices).
I never thought about that. I always backup the key before I first use it, when it's shown for the very first time. Heck, I've written a CLI / text TOTP app (using some Java TOTP library) for my own use (fully offline / airgapped / paasword protected / showing six codes at once for the same code [+1 hour / now / -1 hour and previous code / current code / next code] and which also shows a public/commonly used example code, which is convenient to diagnose sync/clock issues).
> But this tool [1] knows how to take the information in that QR code and decode it and split it into the individual secrets for each site.
Like JBSW Y3DP EHPK 3PXP ?
In my experience every site that shows the QR code offers the possibility to see that secret (and those that don't are misleading users into thinking it's more complicated than it is).
A TOTP secret is just that: 16 or 24 or whatever characters. The QR is just an encoding of these characters. The "issuer" serves no role other than autofill the name of the service for you (and you're not forced to use the issued nameL you can use any name you want).
I never ever scanned a QR code to configure 2FA / TOTP for any site. I write the 2FA code down, then encode what I've written down (in at least two devices).