One of the functions of a smart phone is that it can be used as a mobile security token. Whether it be SMS PIN, authenticator app or touch ID, your device can provide an additional level of security to your online transactions.

The problem occurs when you realize that you are substituting one form of authentication for another form. When applied in a multi factor authentication scenario, you may end up with 2 authentications of 1 form, and none of another. For example:

I make a purchase online with my smart phone using the saved credit card in the password vault, and the credit facility requires me to key in the SMS Pin they just sent to me. On the same device that I just made the purchase. Anyone who is in possession of my phone would likely be able to do the same, as I have substituted something I know (my CC number) for something I have (my mobile phone), and the 2nd authentication method is, also, something I have (via SMS to my phone). Hence, you have just reduced the authentication to a single factor, and hence a single point of attack.

What are your thoughts?