[mixedbit]

Not really. All 2 factor authentication schemes that I've seen give no protection against a compromised client machine.

In theory you could probably device a scheme that would require the use of two independent devices to perform any sensitive action and that would guarantee that if only one of the devices is compromised, the attacker would have no way to perform any action in a name of the user. But I'm afraid any such scheme would be a complete failure from a usability perspective.

[mseebach]

When the second factor is a "rich" device, such as a smart phone, attaching transaction information to the interaction would be a trivial - instead of texting "The code is 1234", text "Transfer $100 to account 9876" or "Login attempt from IP 1.2.3.4, FooCom Inc, Springfield, Oregon, USA.", followed by "If correct, enter code 1234. If not, DO NOT enter the code and contact us at .. "