What percentage of those android phones would you say are upgraded to a level where they don't have any publicly announced cve's against them that allow for rce or close enough? Like 5 or 10 percent? I agree that it's better than a single secret, but how does a soft toekn count as "something you have" if it can be stolen from your phone and not end up "missing"? My google auth secret continued to work without a hiccup after apple repaired and wiped my phone and i restored from their cloud backup service. That's not too bad for keeping my voice mail private, but it's a pretty weak protection for sudoers on boxes that are pretty much critical to your company existing.