On 2026/02/14 17:13, sysop@ubik.com.de wrote:
> Without looking at the code, the actual risks seem (imo) low, but I
> don't know your threat model.

if some random process run by your uid is not allowed to read the
password without confirmation, it should not be able to read an otp key
either. (*possibly* an otp calculated value might be ok, but the key is
*at least* as sensitive as a password, probably more so).