For significant transactions my bank will SMS me a 6-digit code that I must submit within a few minutes (it becomes invalid after that and I must request a new one).

Seems fairly secure to me, particularly as their internet banking logon is not simple.

'Course if my cellphone is down I'm stuffed.

Not so sure about the fob gadget - anyone could have it.

Comments mix?

Mac



PS:What about collisions? There must be many HMAC-SHA-1 values that truncate to the same HOTP number.