donomo,
Thanks for the feedback on that! We need to create more documentation about the 2 Factor Authentication support in the SCLogin module. The otpcheck.php file is something that's only used on Joomla 3.2.x *and* when OTP is enabled. That's probably not a huge amount of sites yet, but we're excited for it to grow even more.
As for the problem you found, that's a legit check that they're performing, and you've implemented the correct work around. Admin Tools (and some other security tools) won't let 'unknown' PHP files run. Whitelisting it like you did is the way around it.. and that file isn't malicious
I'm hoping you're enjoying the SCLogin module, and should you need anything else or have any suggestions for improvement, just let us know.
Finally, if you haven't already, please consider leaving a rating and review for SCLogin, or our support, on the Joomla Extension Directory. It certainly isn't required, but is very appreciated:
extensions.joomla.org/extensions/access-...authentication/24054
Thanks for the feedback, and good luck,
Alex