I did it, and frankly, this is a pain.
I am quite unsatisfied about this I must say:
- You have to install a separate application - why on earth should we do that ??
- And you have to run it at the moment of answering, so extra steps of copy / pasting, for a security gain which seems relatively small, if any
- When you are travelling, then you need the same application to come with you
- So you need to register the secrets in plenty of places
- Or you need to have it on a device always with you(e.g. a mobile)
- But guess what happens when your mobile has no more battery, or lost it ?
Plus this is quite badly explained on the blog and on the support page:
- A list of applications / services selected by we do not know who and in which we may not have any confidence
- Nothing saying this is using in fact HMAC based on time = TOTP
- So nothing allowing us to pick another choice
- And a dependency on being on a device with 30s precise clock at the moment of response code generation, or else you can’t log in
All in all, I feel that security is really creating a problem for people it is supposed to protect, but not really for the people against whom we want to protect.
A bit of security is ok, but not too much. This is like people who put several locks on their doors = full pockets with plenty of keys that end up making a hole in the pocket, losing the keys, and cannot enter anymore so have to break the door … while robbers can go through the roof, or simply make a hole in a wall or in a window, in a few minutes, if they really want to enter.
Can’t thank anybody here for the pain this all generates
-> A unhappy user / developer.