Fixed lot of passages to better reflect the package inner workings.

README.md

@@ -81,7 +81,7 @@ To enable Two Factor Authentication successfully, the User must sync the Shared
 
 > Some free Authenticator Apps are [FreeOTP](https://freeotp.github.io/), [Authy](https://authy.com/), [andOTP](https://github.com/andOTP/andOTP), [Google Authenticator](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en), and [Microsoft Authenticator](https://www.microsoft.com/en-us/account/authenticator), to name a few.
 
-First, generate a shared secret using the `createTwoFactorAuth()` method. Once you do, you can show it to the User as a string or QR Code (encoded as SVG) in your view.
+To start, generate the needed data using the `createTwoFactorAuth()` method. Once you do, you can show the Shared Secret to the User as a string or QR Code (encoded as SVG) in your view.
 
 ```php
 public function prepareTwoFactor(Request $request)
@@ -96,7 +96,9 @@ public function prepareTwoFactor(Request $request)
 }
 ```
 
-Then, the User must confirm the Shared Secret with a Code generated by their Authenticator app. This `confirmTwoFactorAuth()` method  will automatically enable it if the code is valid.
+> When you use `createTwoFactorAuth()` on someone with Two Factor Authentication already enabled, the previous data becomes permanently invalid. This ensures a User **never** has two Shared Secrets enabled at any given time.
+
+Then, the User must confirm the Shared Secret with a Code generated by their Authenticator app. This `confirmTwoFactorAuth()` method will automatically enable it if the code is valid.
 
 ```php
 public function confirmTwoFactor(Request $request)
@@ -109,8 +111,6 @@ public function confirmTwoFactor(Request $request)
 
 If the User doesn't issue the correct Code, the method will return `false`. You can tell the User to double-check its device's timezone, or create another Shared Secret with `confirmTwoFactorAuth()`.
 
-> Every time you use `confirmTwoFactorAuth()` the previous Two Factor Authentication becomes permanently invalid. The User should **never** have two shared secrets enabled at any given time.
-
 ### Recovery Codes
 
 Recovery Codes are automatically generated each time the Two Factor Authentication is enabled. By default, a Collection of ten one-use 8-characters codes are created.
@@ -120,7 +120,7 @@ You can show them using `getRecoveryCodes()`.
 ```php
 public function confirmTwoFactor(Request $request)
 {
-    if ($request->user()->confirmTwoFactorAuth($code)) {
+    if ($request->user()->confirmTwoFactorAuth($request->code)) {
         return $request->user()->getRecoveryCodes();
     } else {
         return 'Try again!';
@@ -178,7 +178,7 @@ The following events are fired in addition to the default Authentication events.
 * `TwoFactorRecoveryCodesGenerated`: An User has generated a new set of Recovery Codes.
 * `TwoFactorDisabled`: An User has disabled Two Factor Authentication.
 
-> You can use `TwoFactorRecoveryCodesDepleted` to notify the User to create more Recovery Codes, send him to his email a new batch of codes, or even [send him a code via SMS](https://laravel.com/docs/6.x/notifications#sms-notifications).
+> You can use `TwoFactorRecoveryCodesDepleted` to notify the User to create more Recovery Codes, send him to his email a new batch of codes.
 
 ## Middleware
 
@@ -194,9 +194,9 @@ This middleware works much like the `verified` middleware: if the User has not e
 
 ## Protecting the Login
 
-Two Factor Authentication can be victim of brute-force attacks. The attacker will need at best 16.666 requests each second to get the correct codes.
+Two Factor Authentication can be victim of brute-force attacks. The attacker will need between 16.000~34.000 requests each second to get the correct codes.
 
-Since the listener throws a response before the Login throttler increments its tries, its recommended to use a try-catch in the `attemptLogin()` method.
+Since the listener throws a response before the default Login throttler increments its failed tries, its recommended to use a try-catch in the `attemptLogin()` method to keep the throttler working.
 
 ```php
 /**
@@ -218,7 +218,7 @@ protected function attemptLogin(Request $request)
 }
 ```  
 
-To show the form, the Listener uses `HttpResponseException` to forcefully exit the authentication logic. This exception catch allows to throw the response after the login attempts are incremented, making the throttle usable again.
+To show the form, the Listener uses `HttpResponseException` to forcefully exit the authentication logic. This exception catch allows to throw the response after the login attempts are incremented.
 
 ## Configuration
 
@@ -274,7 +274,7 @@ return [
 
 By default, the input name that must contain the Two Factor Authentication Code is called `2fa_code`, which is a good default value to avoid collisions with other inputs names.
 
-This allows to seamlessly intercept the log in attempt and proceed with Two Factor Authentication or bypass it. Change it if it collides with other login inputs.
+This allows to seamlessly intercept the log in attempt and proceed with Two Factor Authentication or bypass it. Change it if it collides with other login form inputs.
 
 ### Recovery
 
@@ -304,7 +304,7 @@ return [
 ];
 ```
 
-Enabling this option will allow the application to "remember" a device using a cookie, allowing it to bypass Two Factor Authentication once a code is verified in that device. 
+Enabling this option will allow the application to "remember" a device using a cookie, allowing it to bypass Two Factor Authentication once a code is verified in that device. When the User logs in again in that device, it won't be prompted for a Code. 
 
 There is a limit of devices that can be saved. New devices will displace the oldest devices registered. Devices are considered no longer "safe" until a set amount of days.
 
@@ -320,7 +320,7 @@ return [
 ];
 ```
 
-This controls how the length (in bytes) used to create the Shared Secret. While a 160-bit shared secret is enough, you can tighten or loosen the secret length to your liking.
+This controls the length (in bytes) used to create the Shared Secret. While a 160-bit shared secret is enough, you can tighten or loosen the secret length to your liking.
 
 It's recommended to use 128-bit or 160-bit because some Authenticator apps may have some problems with other non-RFC-recommended lengths.
 
@@ -346,7 +346,7 @@ This controls TOTP code generation and verification mechanisms:
 
 This configuration values are always passed down to the authentication app as URI parameters:
 
-    otpauth://totp/Laravel:taylor@laravel.com?secret=THISISMYSECRETPLEASEDONOTSHAREIT&issuer=Laravel&algorithm=sha1&digits=6&period=30
+    otpauth://totp/Laravel:taylor@laravel.com?secret=THISISMYSECRETPLEASEDONOTSHAREIT&issuer=Laravel&algorithm=SHA1&digits=6&period=30
 
 These values are printed to each 2FA data inside the application. Changes will only take effect for new activations.