Instead of an authentication device, why not have an iPhone app that gives the authentication digits? (warning: i have no idea how these devices work and may be missing something obvious)
These keyfobs number generators are actually pretty interesting devices. The basic principle is that they generate a pseudorandom sequence of numbers. The starting seed of each device is different, and each device's seed is known to the authenticating server. Given the initial seed and the current time, the server can predict what is the number that the token will show.
Due to the properties of the pseudorandom algo, it is impossible to guess the seed by observing a token's digits.
And these sealed tokens self-destruct if tampered with. No, you can't change the batteries. :)
Nice, but why not allow integration with common authentication devices available, such as SecurID? I don't want to end up with 5 or 6 of different authentication devices.
In my opinion the best solution for two-factor logins is password plus SMS challenge. It requires a device, but at least it's a device you most likely already have.
The solution might not be as useful in the US with the "pay for receiving messages" stuff, but if the service you're loggin into is important enough (bank etc) most people might not mind.
I have no experience with SMS other than as an average user. I'd love to know from someone more knowledgable than me, how secure this would be? From my basic understanding
it seems that SMS would be hard to intercept on the phone network, but if a site is using an SMS gateway, it's not much safer than using email for two factor auth, right?
