Re: Should have used a hardware dongle
If it can be mathematically reduced to "something you know" and every hardware token can be, it is not 2FA in the formal sense. In my case I have a list of token IDs in a database. If they get stolen, then whoever stole them can pretend to be any hardware token I've issued.
The real problem is that any proper 2FA system needs to integrate into older hardware. Sysadmins need to log into things like switches and routers and firewalls and many of them just don't have proper hooks and many that do can be tricked with things like fake radius servers. Most 2FA solutions are windows only or support a very limited amount of hardware. The old OATH and HOTP systems could be done on just about anything but like the old RSA tokens, once you have the secret keys, it isn't anything other than an annoying one time password.
Biting the hand that feeds IT
