Note that I'm not talking about systems like Authy, where you can log in to your account on multiple devices and sync your tokens between them -- I'm referring to two completely separate devices that have no knowledge of each other.
Consider the typical two-factor auth setup flow for a consumer website:
- User logs in and navigates to the "set up 2FA" page.
- Site generates and displays a 2D barcode to the user.
- User takes a picture of the barcode with their 2FA app and it generates a token.
- User submits token to the site.
- Site validates/finalizes the setup and 2FA is enabled.
During step 3, if two different devices scanned the barcode, would they then begin to generate the same series of tokens? If so, would they have to scan the barcode at roughly the same time to start with the same initial values?
I'm curious if it is possible to either shoulder-surf the barcode from an unsuspecting user's screen or, for example, see a barcode in video footage (perhaps from a security camera or local news broadcast) and use that to clone a 2FA token without the user's knowledge.