That's not an inherent flaw in the idea, though, just in RSA's implementation. There's no real need for the servers to hold on to private device-specific data.