From cec4811d38d5e3628a50fee158d7622c9f79ce7d Mon Sep 17 00:00:00 2001
From: Alex <alexander.noack@web.de>
Date: Mon, 8 Jul 2019 23:33:52 +0200
Subject: [PATCH] Explained MFA

---
 README.md | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 8fbc2b6..f3fba5c 100644
--- a/README.md
+++ b/README.md
@@ -51,10 +51,15 @@ alexa-remote-control [-d <device>|ALL] -e <pause|play|next|prev|fwd|rwd|shuffle|
  
 There's also a "plain" version, which lacks some functionality (-i, -p, -P, -S and no radio station names and no routines) but doesn't require 'jq' for JSON processing.
 
-In order to use MFA, one needs to obtain the MFA_SECRET from your Amazon account:
+In order to use MFA, one needs to obtain the MFA_SECRET from Amazon account:
 1. You should have MFA using an App already working before proceeding
 1. Add a new app
 1. When presented with the QR-code select "can't scan code"
-1. You will be presented with the MFA shaed secret, something like `1234 5678 9ABC DEFG HIJK LMNO PQRS TUVW XYZ0 1234 5678 9ABC DEFG`
+1. You will be presented with the MFA shared secret, something like `1234 5678 9ABC DEFG HIJK LMNO PQRS TUVW XYZ0 1234 5678 9ABC DEFG`
+1. Now you have to generate a valid response code via `oathtool -b --totp "<MFA shared secret from above>"` and enter that in the web form
+1. Going from here the MFA shared secret becomes the MFA_SECRET for the alexa_remote_control script
+*Treat that MFA_SCECRET just like your password - DO NOT share it anywhere!!!*
+
+It is assumed that MFA secured accounts are less likely to get a captcha response during login - that's why MFA might yield better results if the plain username/password didn't work for you.
 
 http://blog.loetzimmer.de/2017/10/amazon-alexa-hort-auf-die-shell-echo.html