Very frustrating that the expert people supplying the extra security for the people wanting extra security are the people falling for stupid stunts like "include an infected Excel file, and hope someone opens it".
That's not an inherent flaw in the idea, though, just in RSA's implementation. There's no real need for the servers to hold on to private device-specific data.
RSA, one provider of such tokens, was hacked making many of those devices worthless.
RSA was hacked because someone in Personnel opened an attachment supposedly from a recruitment agency.
(http://www.pcmag.com/article2/0,2817,2391951,00.asp)
Very frustrating that the expert people supplying the extra security for the people wanting extra security are the people falling for stupid stunts like "include an infected Excel file, and hope someone opens it".