As far as I can tell, this is the result of an earlier validation codepath added in 4a550304e935d60905002c9c81a92d17100897e9 rendered inaccessible by validation code added in 236f2b72b7aa675149e4b956ebd0db9190f03f80.
This string needs to be translated and maintained, it's also very confusing; if we can avoid this validation step by simply enforcing the required string length (as we appear to already be doing), we should remove it.
We currently validate that HOTP secrets are 40 characters long, and we also check against "odd length", here: https://github.com/freedomofpress/securedrop/blob/develop/securedrop/journalist_app/utils.py#L137
As far as I can tell, this is the result of an earlier validation codepath added in 4a550304e935d60905002c9c81a92d17100897e9 rendered inaccessible by validation code added in 236f2b72b7aa675149e4b956ebd0db9190f03f80.
This string needs to be translated and maintained, it's also very confusing; if we can avoid this validation step by simply enforcing the required string length (as we appear to already be doing), we should remove it.