2. In this case, the password is the OTP. Unlike a password, which is in *your head*, the OTP is a dynamic password sent to the phone via SMS. So if OTP is revealed?
4. It exchanges a secret with the Android App. And the secret is then used to generate VID, TOTP etc.
6. In effect, your Aadhaar is taken over by whoever reads the OTP first. And is there a list of Apps that get Notifications first in Android? Is that order controllable? AFAIK, no. (Correct me if I am wrong on this)
8. So what is the right way to do this initial setup? QR code scanning done offline, like WA, Google Authenticator, any decent 2FA.
medium.com/karana/securit…
Remember phone gone, Aadhaar gone.
#