How should I share a TOTP shared key with my users?
I want to add one-time passwords as gates for certain important actions in the application I am working on. It is not two-factor authentication, although it may be extended to that use case later.
RFC6238 is a very commonly adopted standard for this kind of problem.
It seems very straight-forward to have users download Google Authenticator or something similar on their mobile device and then implement RFC6238 on the server as well.
The one part I can't find any clear guidance on is how to securely share the shared key with users. Is it okay to send this via email or SMS? Is it okay to display a QR code in the browser? Is sharing the secret in the browser defeating the added security, since any logged in user could get a new secret and configure their device to use it to generate OTPs?
