I was wondering about the design of totp and 2fa. I learned that 2fa is any 2 of the following authentication methods:
- Something you know (e.g. a password)
- Something you have (e.g. an email address)
- Something you are (e.g. biometrics)
Since the generated codes are based on a shared secret, shouldn't totp be considered 'something you know' instead of 'something you have'? Making it not 2fa but actually the same method twice.