Is there proper security reason for the unusual way the OTP entry method works?
Is there security reason for the unusual way the OTP entry method works? Aka. pin + otp. Overall, it's just bit strange, why not use regular method of password, and otp afterwards. Or why not just use password+otp instead of pin+otp? Why is there need for a pin number?
Reason why I'm asking this is because for one, I though for a quite while that my password manager somehow saved wrong password because my password didn't work after setting up OTP. And secondly since I use password manager, it's kinda useless now because instead of password I need to use some pin.
I would also have to say that 2fa set up should probably be simplified, at least for software OTP since that's one most people use. You can leave the advanced settings there, but it should be under some kind of advanced tab. User shouldn't really do more than click "activate OTP" or something, scan the QR code or enter the code manually in OTP app. I would also recommend placing these setting under name "two factor authentication" instead of "one time password" it's currently in setting, it's just more recognizable name.
Overall I have to say that as customer whole 2fa process was really bad. I'm software developer but I couldn't even find the setting first due to unusual name, set up was unnecessarily complicated and I finally thought I was locked out because the weird way passwords work after setting up 2fa. There wasn't even proper notice that after setting up the OTP you have to log in with pin+otp.