Originally Posted by
dmurphynj
Is it, though?
What's the difference, realistically, from having an OTP token in, say, Google's authenticator app, and the generator built into the United app? It'd still do the over-the-wire authentication, which is the important part.
What's the security advantage of flipping back and forth between the authenticator app and the United app at login?
Now --- in theory, SHOULD you be using an OTP token on the same physical device you're authenticating? Not really, no. But that's - in practicality - what happens.
So what's the advantage?
At least with the separate app, you could, in theory, be logging into the website on a different device than you're using for communication. When it's part of the same app, there's no chance of it at all, and then it's completely pointless. Anyone who can access the app can also access the OTP.