This isn’t new, but it’s increasingly popular: > The technique is known as device code phishing. It exploits “device code > flow,” a form of authentication formalized in the industry-wide OAuth > standard. Authentication through device code flow is designed for logging > printers, smart TVs, and similar devices into accounts. These devices > typically don’t support browsers, making it difficult to sign in using more > standard forms of authentication, such as entering user names, passwords, and > two-factor mechanisms. > > Rather than authenticating the user directly, the input-constrained device > displays an alphabetic or alphanumeric device code along with a link > associated with the user account. The user opens the link on a computer or > other device that’s easier to sign in with and enters the code. The remote > server then sends a token to the input-constrained device that logs it into > the account...

Here’s an easy system for two humans to remotely authenticate to each other, so they can be sure that neither are digital impersonations. > To mitigate that risk, I have developed this simple solution where you can > setup a unique time-based one-time passcode (TOTP) between any pair of > persons. > > This is how it works: > > 1. Two people, Person A and Person B, sit in front of the same computer and > open this page; > 2. They input their respective names (e.g. Alice and Bob) onto the same page, > and click “Generate”; > 3. The page will generate two TOTP QR codes, one for Alice and one for Bob; > ...