Deutsche Bank e.g. has its own 2FA implementation (called photoTAN) and is allowing this. Therefore it’s also possible to revoke the rights for each 2FA enabled device afterwards.
So, there is not a big deal, if one device gets lost or isn’t right by your side. I have an old iPhone 5 (and won’t buy any time soon a far more expensive new iPhone), if I can do the same things on a larger display on my iPad mini 4 for a fraction of the price.
Hope, you‘ll understand my logic behind multiple 2FA-enabled devices
Oh, that would mean storing a different token for each device.
I’m always storing the QR code image in my KeePass database for later use. Has mostly the same effect and works on every site.
Nevertheless, storing the QR on some place has the same value for security like a saved password, if you can’t pair devices with each other and revoke their rights if necessary.
I don’t see much benefit in 2FA, if the OTP-client isn’t appropriately linked to the server. It would be great if, let’s say each user can configure up to 3 different clients. Nowadays it’s not unusual, that power users have multiple devices (Android, iOS and tablet)
Future iterations I’m definitely envisioning allowing multiple 2-factors, but allowing a single TOTP/user was already a very attractive milestone to hit. Having any 2-factor auth is already much more secure, as it prevents access even when the attacker has access to your email.
