From 7ad0e23caf82213e7dd2646e0cd67f99c7939daa Mon Sep 17 00:00:00 2001
From: pilcrowOnPaper <pilcrowonpaper@gmail.com>
Date: Wed, 20 Mar 2024 08:42:26 +0900
Subject: [PATCH] mention totp verification

---
 pages/mfa.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pages/mfa.md b/pages/mfa.md
index b205579..d887d97 100644
--- a/pages/mfa.md
+++ b/pages/mfa.md
@@ -38,6 +38,8 @@ HMAC SHA-1 is used to generate TOTPs. The secret key is exactly 160 bits and it
 
 To share the secret, generate a [key URI](https://github.com/google/google-authenticator/wiki/Key-Uri-Format) and encode it into a QR code. The `secret` is base32 encoded.
 
+You should verify that the user has correctly scanned the QR code by asking for the generated OTP.
+
 ```
 otpauth://totp/example%20app:John%20Doe?secret=JBSWY3DPEHPK3PXP&issuer=Example%20App&digits=6&period=30
 ```