I'm not saying it's the most secure way, no. Nothing is the most secure. However, a hacker would need to know both my password and have access to my cell, iPad and/or email to access the accounts I use 2FA for. I never use any type of auto log on feature like what I think you're describing? I know how the random code generator works for 2FA - I use it on my iPad, but it's conjunction with my account password (if that makes sense). But isn't that method tied to a specific device anyway? Again I don't use QR codes so my 2FA apps are always tied to my device... IDK...maybe it seems that the a new QR code should be generated for each log in? I'd feel much 'safer' with a random QR codes for each log in. What if I'm sitting at work (I'd never do this), and have the QR code on my screen - with the cameras on today's code, someone 10 feet behind could take a pic of screen and capture my code. That's a little extreme, but what if I lose my phone with the QR pic saved as a pic? Rhetorical question of course.
If someone gets your QR code, you're 2FA is bypassed. Of course passwords etc are additional security. I was referring to the situation where an attacker already has your password which is what 2FA protects you against, if the hacker doesn't have your password having your 2FA is useless.
When setting up the 2FA initially of course you do it somewhere private, yes cameras can pick it up, thats why showing a new code for each login is a bad idea because each time you login you'd have a chance of being filmed or malware on your PC compromising it.
You might want to confirm that... it's possible it could be device based. When I carried an iPhone and iPad - I could hit the 'generate' button at the same time and both would generate a different code. Again - I don't use QR codes so it could work totally different... but with non QR code token generating apps (that's what they are - I use iToken now) after entering my password for the site, I just have to add the code provided by iToken.
How did you setup iToken with the website?
Ah, I see - I guess it makes a little better sense now... so you're assigned permanent QR codes that's just used to generate a random token. Like I said I don't use that option, can't say that I ever will. I tried scanning a QR code once using my iPad. It only took that once to determine the hell with them, lol. But maybe it was the high glare from my thunderbolt, but my iPad couldn't read that bastard for anything - and I was trying to donate to someone. Oh well, I gave it a shot. I don't even have a QR scanner now.
To set up iToken, an email link was sent to me and I had to open on my iPad (from computer where app is to be downloaded)... and enter an activation code. That's as far as my tech knowledge goes in that direction. But I can only use that iToken app with that website unless I 'register' additional sites, each with a different token. iToken's made by Quest... and looking at the more info button, it has my device ID captured. Nice... it even tells me the token type, serial number, date, cycle - wow. Anyhoo, this app wouldn't be used by anyone who'd want to remain anon, because it pretty much knows who the device is registered to.
The token generating apps I used be fore and had a version installed on an iPhone and iPad was Coinbase's - actually that may have been during the time I had an android tablet and an iPhone... but even so - I remember testing it, if you will. Each code generated was different is my point, on both devices, even tho they were tied to the same online account.