How is this any different than the prior situation?
Now instead of needing to trick a user into giving you their username and password, you need to trick them into giving you their username, password, and one-time token.
It's designed to address situations where the password is discovered by other parties.
Now instead of needing to trick a user into giving you their username and password, you need to trick them into giving you their username, password, and one-time token.
It's designed to address situations where the password is discovered by other parties.