I am using Google Authenticator as a second factor on some sites, (including my Google Account).
Every now and then I need to produce a token to log in.
If some attacker received those tokens over time, would they become able to guess the internal secret (seed) for the TOTP in Google Authenticator, thus being able to produce tokens for themselves?
How many tokens wouldy the need for a reasonable chance to log in, given they have the username/password already?
