[raesene3]

Interesting article, I've always thought that phones are one of the weaker links in the 2FA chain (but a lot cheaper than dedicated tokens).

The general use of SMS/voice mail has another potential weak point which is where people start using VOIP services a lot. If an attacker has compromised someone's client computer with the usual set of trojans and they use something like Skype to receive SMS and voice calls, 2FA which relies on tokens via SMS or voice could be easily compromised as the attacker will already have access to them..

[zobzu]

dedicated tokens are actually cheap. you can get one for 10-20 bucks

[rdl]

The problem with most dedicated tokens is you probably don't want to use the same token across multiple services. It is a financial and physical logistical cost to have one per service.

I'd love a cheap hw token which could support around 32 simultaneous totp seeds. It would cost an extra 2 digits on the display and maybe an extra button (but hold vs press could be multiplexed so you get both)

[growse]

I use a YubiKey NEO which has the ability to store multiple TOTP tokens on it. You have to arse around with it first and install a jar to the token to give it that capability (I remember it's all official from YubiKey, they just don't ship the keys with that capability).

Then, I simply NFC it to my Android phone, and the YubiKey neo app shows the 2FA tokens for all the secrets on that key. You can also password encrypt the key, so that someone can't just steal the key off you.

Adding new secrets is also easy, I just scan the QR with the app, touch the key to the phone, give it a name and it's added.

I've got around 12 TOTP secrets on there, works very well.

[rdl]

That is kind of an annoying workflow; I'd strongly prefer something with a display and input vs the neo. (I tried using the neo as a pgp card, too, and just switched to the pgp cards)

[maxerickson]

It's maybe a little silly, but there are J2ME implementations you can stick on a candy bar phone.

[raesene3]

sure but depending on who's paying and how many subscribers you have it can be a decent sized up front expense. I'd argue it's well worth it in the long run but a lot of companies would prefer something which is less expensive per user (to them) so based on phones or soft tokens.