Dave Navetta of InfoLaw Group posted a review of the "EMI v. Comerica: Comerica's Motion for Summary Judgment" a few weeks ago. Part of the case revolved around the use of one-time code tokens for providing a second authentication factor. The argument, which seems to have succeeded, was that these tokens do not provide a reasonable level of protection for accounts. I couldn't agree more!
Folks, as much as one-time code tokens seem like a good idea, and can have a useful place in authentication schemes, they are also not foolproof. In fact, worse than that, organizations that have deployed these tokens in the foolish belief that they will magically halt all phishing and account hacking attempts are laboring under a delusion.