But how many hardware tokens or TOTP tokens are users willing to deal with? I currently have eight for various clients and systems at work. If each online account required a TOTP token or a custom hardware token it would be a confusing mess of tokens.
I don't know if there's a safe and easy way of reusing the same token across sites. Until then SMS really is the only "solution".
