Cell Phones are not Two-Factor Authentication

Cell phones are not two-factor authentication.

Hackers are already exploiting the fact that people think they are.

Your first factor is a password: something you know. A networked device like a cell phone is only secure as the first-factor data (your phone's password, your GSM authentication key, or any security flaw in the phone) that can be used to compromise it; therefore it cannot be a second factor. A physical device isn't a second factor (something you have) unless it is airwalled from everything other than the authentication point the way EMV chip-and-pin, Yubikey, and SecureID devices are.

Unfortunately the cell phone industry (and cell phone OS industry) doesn't want you to hear this. Two-factor security is fundamentally incompatible with all-in-one devices.