To compensate for the well-known shortcomings of passwords, two-factor authentication adds the possession of a physical token as a requirement. For example, “smart cards” that have small, secure cryptographic capabilities are a common physical token used by enterprises for authenticating identities and authorizing requests. Unfortunately, issuing smart cards can be costly and require a user to hold multiple cards for multiple purposes. Users have a bad habit of forgetting their cards in card readers, and systems accepting a smart card need additional hardware to read them. In remoting scenarios, an unprivileged user may need additional authorization from an administrator to perform a privileged action, but this may require the administrator to reveal his or her credentials to the user.
To avoid the difficulties surrounding smart cards, Bluetooth devices with security credentials have been used in place of smart cards. These Bluetooth devices lack adequate protections for security credentials, however, so smart cards remain the overwhelming choice for two-factor authentication.