[Spooky23]

It's not multi-factor auth.

Most of the smartphone based solutions are two-step auth -- it's just a different kind of secret that you know. If you use 1Password or Authy, your token is your 1Password/Authy credential.

The hardware based token approach is always going to be better, because the secret is part of the device and isn't portable. The Yubikey and challenge/response tokens are great as you need to have it present, you cannot easily get away with hijinks like putting a webcam on your RSA token.

[leokennis]

I’d say that a separate phone app with MFA codes that are only stored offline qualifies as a second factor, as you need both the phone and it’s access code (fingerprint etc.) to see the code.

[Spooky23]

It can, but users have the ability to undermine those controls in many cases via Authy, 1Password, etc.