Can anyone compare this to Google's two-factor authentication using the Authenticator App? The app is open source (http://code.google.com/p/google-authenticator/) and the private key(correct?) is provided via a QR scan.
It's the same concept, yes. And if the servers running the Authenticator at Google were hacked this system would likely be broken (but you'd also have much bigger problems)
there's no online component... your phone takes the current time (divided by some value), the secret key, and performs a cryptographic function on it, then the system you're logging into does the same thing and compares the results.
with secureid the secret key is fixed in the hardware (and RSA keep a copy of the key), whereas with Google authenticator you can generate and input the key yourself, so that Google never sees it.
I can confirm that. The app doesn't require any permissions. I rebooted my phone while in flight mode and the Google login via Authenticator code works as expected.
Right, but a compromise of your token for Google's services would not mean your token for your job was compromised as well. You could even generate a new key for each machine you connect to, if you were paranoid enough.
