The security model behind sending one-time passwords as SMS ("something that you have") assumes, that - once received on a phone - the SMS will never leave your phone again (or, at least, not before the OTP gets invalid).
This is not the case, however, with this app...
Hacking into your Nextcloud instance is definitely possible, so hackers could read your OTPs there and gain more access.
Telling people (that use SMS-based OTPs) not to use your app at all, is probably no good idea. For these people, you could maybe implement some heuristic, that detects if a message contains an OTP. If yes, the message should not get synced at all.
If you don't agree with me, please tell!
Especially if you think the security model behind SMS-based OTPs is "broken by design" and should not be treated separately from this app. In that case, please close this issue.
The security model behind sending one-time passwords as SMS ("something that you have") assumes, that - once received on a phone - the SMS will never leave your phone again (or, at least, not before the OTP gets invalid). This is not the case, however, with this app... Hacking into your Nextcloud instance is definitely possible, so hackers could read your OTPs there and gain more access.
Telling people (that use SMS-based OTPs) not to use your app at all, is probably no good idea. For these people, you could maybe implement some heuristic, that detects if a message contains an OTP. If yes, the message should not get synced at all.
If you don't agree with me, please tell! Especially if you think the security model behind SMS-based OTPs is "broken by design" and should not be treated separately from this app. In that case, please close this issue.