You don't have to do that given that things like Authy use an open standard for two factor: http://www.ietf.org/rfc/rfc4226.txt. That's the same standard that the Google Authenticator implements. So, you'd really only need a single app.

I think Aardwolf point is: if you have 2 different service providers (let's say DropBox and Google) authenticate you with an OTP generated from a single OTP seed, they would need to share that seed on the server side and they won't. Today, I have one OTP generator for Google and one for DropBox.

Yes, but that's not what Authy (and RFC 4226 in general) are expecting. They are allowing multiple seeds in the same app. So, you use one app and get different OTP for different sites.

The article mentions "Matthew Prince protected his Google Apps account with a second code that would be sent to his phone—so the hackers got his cell account". It means the phone was not secure enough to protect these codes. A dedicated hardware token is more secure, but if you have to carry 10 devices on your keychain, this is not very elegant and annoying.

Matthew Prince is my boss and I know what happened there. He was not using the type of system I am talking about (based on the RFC) but a system that does a voice call or SMS.

Funny, but I have one app for both Google and Dropbox. (Google Authenticator)

mobileOTP is what you are looking for:

http://motp.sourceforge.net/

it supports a number of OTP flavours (OATH-HOTP, OATH-TOTP, mOTP etc.). GOOG and others also provide OATH apps, ie:

http://f-droid.org/repository/browse/?fdfilter=OTP

all FLOSS and work with standard services. If you prefer a hardware token, inexpensive Yubikey tools come with every Linux distribution.

There are two solutions:

- Carry one OTP device and authenticate to a federated identity service

- Carry an OTP device which can embedded several OTP seeds such as a smart card