Quote Originally Posted by Sparky View Post
They would never work with the community to make this happen, and there's a very good reason why not too. These authenticators work on the basis of a seeded random number string, so to build an app, you would need to know the algorithm they use. By knowing the algorithm and taking a lucky guess at the seed, you would as a result have the tool required to crack the two factor authentication completely... for anyone's account.
Let's set aside the fact that the app wouldn't even have to know that algorithm (all you need to do is have it tell the server "I am a new authenticator, please generate a seed value for me"). "Taking a lucky guess at the seed"? If you've got that kind of luck, then you'd better hurry up and get to Las Vegas before they find out and ban you for life.

There's plenty of one-time password algorithms that are already publicly known. RFC 6238 is used in everything from Amazon to Wordpress, OPIE is included in FreeBSD by default...hell, even Blizzard's two-factor authentication has had its algorithm figured out. As long as the algorithm doesn't call for an incredibly stupid seed (say, an unsalted MD5 of a randomly chosen dictionary word), knowing it won't necessarily give you any sort of advantage.

So you found out that the secret seed value is generated by firing photons into a beam splitter. How exactly is that going to make it any easier for you to guess what the seed value for a given authenticator is?