I’ve begun work on an offline two factor authentication device. Most of the work has already been done by others; my own contribution will mainly be improving the UX and getting the whole thing to fit in an Altoids-sized tin.
I’m building this device because I haven’t seen anything else like it out there, and I’ve become skeptical of the ability of mobile devices to keep two factor secrets. About a year ago I had an account protected by Google Authenticator breached, likely because my phone was compromised. Phones have notoriously poor security, yet that’s the de-facto 2FA device for most of us.
My rule of thumb now is that all important secrets should be kept on devices that, at minimum, don’t have wifi or Bluetooth hardware at all.
You can follow my progress on Gitlab.