Authenticators that require the handbook entry of the authenticator output, including out-of-band and OTP authenticators, SHALL NOT be regarded verifier impersonation-resistant because the handbook entry would not bind the authenticator output to the specific session getting authenticated. This doc assumes that the subscriber will not be colluding using an attacker https://ernestv318enx7.wikififfi.com/user
