![]() | Navigation<> |
The basic mechanism is for the user to have a (client) device that uses the time and the shared secret key to calculate the one-time password. The user then types in this number at the login prompt as a second password in addition to their "normal" password.
The client device can either be a dedicated hardware key or a smartphone app.
Once you have installed the app you can set up entries for as many remote accounts as you wish, each with its own shared key. To save typing an 80-character hex key both of the above apps allow you to scan in a QR code instead.
When you start up the app you should see a "+" at the top of the screen. Pressing it should start the camera, point it at the following QR code:
It should install a dummy account entry called "test-account", displaying a six-digit number that changes every 30s. (To save battery it may not always show the number but pressing it should activate it.)
You can delete the test account once you have got to the stage that it is generating the six-digit TOTP.