Yeah that's what I figured. Do you add a secret so you can't steal the login from just knowing the k1
Discussion
You could. The k1 ends up being known to the wallet and anyone who can view the QR on your screen. Everywhere else is subject to tls.
I generate a random 32 byte k1 and set it to expire. That seemed good enough to me. More or less the security of a magic link.