> It makes sense technically to have a single token anyway. Otherwise you either need to include then identifier of the auth token (in addition to the secret) or have the verification step try out all N options.
I'm not sure if that is true. Most sites support multiple tokens. Off the top of my head I can think of Google, Facebook, Github, Gitlab, and more that support multiple. So it seems like the normal method is to support multiple.
One one site I have over 5 auth tokens configured. And tested with four of them connected to my PC at the same time. I could tap on any one of them to authenticate. This is on a Windows 10 PC.
I'm not sure if that is true. Most sites support multiple tokens. Off the top of my head I can think of Google, Facebook, Github, Gitlab, and more that support multiple. So it seems like the normal method is to support multiple.
One one site I have over 5 auth tokens configured. And tested with four of them connected to my PC at the same time. I could tap on any one of them to authenticate. This is on a Windows 10 PC.