One time password Authenticator - Mobile App?

[Antipika]

Before thinking about that, SE may want to fix the login process in XIV.

Currently auth is only done once, before starting the game client through a ****** web based interface that uses Internet Explorer (yeah for vulnerabilities \o/). As soon as the credentials are verified and the game client started, then you are free to log on/log off as will. Even worse, you can be connected on as many computers as you want, with different IPs address, provided that your character isn't online on XIV, you can remain on the main menu.

So technically, any "hacker" could "steal" your credentials (not hard if a victim's computer is infected), log on with them once without the victim being able to notice (the "hacker" would just need to make sure that he uses that OTP before the victim does, but since the auth is based on IE it's really not hard to mess up with your victim IE proxy settings to make sure that he cannot log on for a bit), wait for few hours or a even a day, use victim's account behind his back (impossible to notice unless you are on).

As for the OTP itself, it works for way longer than 10 or 30 seconds like some people are claiming. You will receive a new password every 10~30 seconds, but any password generated and unused is valid for a way longer time frame (can be as long as 15 minutes)

I just tried now, generated my OTP @ 0.04. Logged on with it @ 0.11. That is how people still manage to get "compromised" because of phishing website. The window given to the hacker is large enough to enable him to use information the victim entered. And since the OTP the victim entered didn't reach SE's server but the phishing site instead, the OTP remain valid for the hacker to use.