Gregory's Server@flore @r000t @0xabad1dea
This type of card grid is a perfectly good 2nd-factor for 2FA. However, it's not a particularly _convenient_ 2nd factor.
Basically, you need 2 of "something you know", "something you have", "something you are".
The authentication apps on phones are more convenient (and they're locked to the phone, so also 'something you have'), but I'm still terrified by what will happen if/when my phone breaks. (Yes, I do have some recovery codes.)
@tpuddle @flore @0xabad1dea In theory, an attacker could collect the whole card 4-5 cells at a time with each auth he's able to monitor.
So while it's still going to stop 99%+ of attacks, TOTP and webauthn are technically better.
As for your backups when enrolling a phone app, store the shared secret somewhere, or a copy of the QR code. Nicer third party TOTP apps let you back up their whole database but keeping the shared secrets is portable.