I see what you mean about losing the phone, but unless you're saving your password locally it still satisfies the old "Something you have, and something you know" rule. If you lose your phone, the attacker won't know your password. And an attacker without your phone won't have your OTP.
These physically secure OTP techniques are interesting, but shouldn't you have accountability at the system level anyways? If everyone has a two-factor device and a password, it's pretty tough to plausibly deny that you logged into a server. Someone would have to guessed your password and stolen your device.
These physically secure OTP techniques are interesting, but shouldn't you have accountability at the system level anyways? If everyone has a two-factor device and a password, it's pretty tough to plausibly deny that you logged into a server. Someone would have to guessed your password and stolen your device.