[rdl]

One area where hardware authenticators work really well is where you want to split access to an account, or have some accountable/logged procedure for it. You put the physical token in an envelope and in a safe/put it in the control of a finance person. Tech people have the password, but need to request the token to do logins.

This also requires having role accounts which aren't able to reset authentication settings when logged in, though, to really be good (or else you just disable tokens on first successful login).

Also works well for paranoid people who don't trust their phone, or people who log in only from a phone/tablet and thus where MFA is really one-device-authentication.

[alanctgardner2]

I see what you mean about losing the phone, but unless you're saving your password locally it still satisfies the old "Something you have, and something you know" rule. If you lose your phone, the attacker won't know your password. And an attacker without your phone won't have your OTP.

These physically secure OTP techniques are interesting, but shouldn't you have accountability at the system level anyways? If everyone has a two-factor device and a password, it's pretty tough to plausibly deny that you logged into a server. Someone would have to guessed your password and stolen your device.