If a service wants you to download for or to activate mandatory 2nd authentication factor:

  • It's the same as using <space> nitropy nk3 secrets add-otp --protect-with-pin --touch-button --digits-str 6 --kind totp paloalto <seed> with your 3 - don't forget to check the command history to delete the key from there in case the leading space of the nitropy-command didn't stop your shell from saving the command to history.
  • If they then show you a QR you're supposed to scan with your always online, known to be unsecure, sending everything to the cloud device there's ususally a button for can't scan that'll show you the seed
  • If on the page then makes it impossible to copy that seed at least in firefox there's right click/inspect (q) which you can use to have a quick look at the source of the element to copy the seed from the source (think about how secure your clipboard is and whether you need to delete the seed afterwards from it. Big mess: clipboard history writing to disk possibly without full disk encryption).
  • Otherwise - if there's no way to get a text view of the seed - take a screenshot of the qr, save it, and use zbarimg <screenshot-file> to get the text reading from the qr