As I understand it, you need a secure & clean initial set-up, after which the user should not have to enter a key again as the handshake between your machine and Google will automatically change.
Phishing won't work if the user does not have to enter the key again. It requires a clean (no keylogger etc) initial setup. Once installed if someone phishes the end user wouldn't need to re-enter a key, thus defeating the phishing scheme.
Phishing won't work if the user does not have to enter the key again. It requires a clean (no keylogger etc) initial setup. Once installed if someone phishes the end user wouldn't need to re-enter a key, thus defeating the phishing scheme.