Is there any security risk for an application allowing a user to register multiple TOTP devices for a single account?
I've noticed that with many popular accounts (gmail, github) you have the ability to register multiple security tokens, but not register multiple TOTPs, and I've been pondering why.
To me, it looks beneficial for applications to allow for multiple TOTP registrations as the shared secret is less likely to be saved outside of the app (to allow ad-hoc registrations for the same account), or a workflow in which a user completely turns off MFA in order to re-register all devices with a new shared key.
I'm trying to understand the history of why there are so many implementations of only having a single TOTP registration per account at any given time. Is there a security recommendation against allowing multiple registrations?
