The second channel will not secure a compromised channel, but it will make it easier to detect it.

There are various defenses against replay attacks, most of them relying on keys being tied to the current time and only being valid NOW but neither before nor after. But that is only good against a replay, it is quite useless when the attacker is manipulating your own communication. That has been the staple of attacks against banking software since the advent of the OTPs, and the only sensible defense against that is actually a two channel communication. Out of band one way transmission (i.e. sending a OTP to the customer to use in the transaction) doesn't help here.

There is very little you can do to combat malware infections unless you are willing to use a second channel. At some point in the communication the data is vulnerable to modifiction, no matter how well you try to shield it. It resides in memory, unencrypted, at some point in time. And if nothing else, this is where it will be manipulated.

And it's heaps easier to do if the interface used is a browser. You can literally pick and choose just where you want to mess with the data.

Ok, using what frequency? As far as I'm aware the whole spectrum that could be used by 3G is owned by some telcos and considering just how expensive using those freqs is they will hardly be so nice to let you use them for a little bit. They'll want to see money for that!

By promising him dancing pigs if he just presses it for me...

Seriously, don't overengineer it. You'll only hate yourself for investing too much brain power when you learn that all it took was the promise of cute kittens of bouncing boobs.

The system you describe has been implemented often. Most often I've seen it with online games and the like where the main threat is the use of credentials by a malicious third party (i.e. some account hijacker stealing username and password, logging into your account and doing nefarious things with it). For that, you don't need a dongle. You need two synchronized devices that output the same (usually numeric) key at the same time. Basically you get the same if you take a timestamp, sign it using PKI and have the other side verify it. If you have two synchronized clocks, transmitting the signature (or its hash) suffices. That doesn't really require plugging anything anywhere, although it probably gets a lot easier and faster to use if you don't have to type in some numbers and instead have a USB key transmit it at the push of a button.

But that's no silver bullet. All it does is verify that whoever sits in front of the computer is supposedly who they claim to be and entitled to do what they're doing. It does NOT verify what is being sent, or that the content being sent is actually what this user wanted to send.

If anything, it protects Google rather than the user. Because all that system does is making whatever is done by the user of the account non repudiable. Because whatever is done, it MUST have been you. Nobody else could have done it, nobody else has your dongle.

The nasal cells were responsible for guiding the direction of nerve growth.

Technically, "real" two factor authentication, with two different channels involved, require an attacker to infect and hijack BOTH channels if he doesn't want the victim to notice it.

As an example, take what many banks did with text message as confirmation for orders. You place the order on your computer, then you get a text message to your cell phone stating what the order is and a confirmation code you should enter in your computer if the order you get as confirmation on your cellphone is correct. That way an attacker would have to manipulate both, browser output on the computer and text messages on the phone, to successfully attack the user.

In other words, it does of course not avoid the infection. It makes a successful attack just much harder and a detection of the attack (with the ability to avoid damage) much more likely.

Since it's not your money, why do you care?

I don't.

Since it's not your wife or husband, why do you care?

I don't.

Since it's not your dog, why do you care?

Since it's a living, breathing creature, unlike a blob of cells, mistreating it shows ones lack of civility, humanity and general lack of morals.

Since it's not your house, why do you care?

I don't, up to the point where your negligence in keeping your property maintained interferes with my property because critters from your area migrate to mine.

Since it's not your city, why do you care?

I don't.

Since it's not your book, why do you care?

I don't.

Since it's not your life, why do you care?

I don't. But then a blob of cells isn't a life.

I remember, back in the early 80s, some friends and I pooled our allowance, bought an Atari joystick, then tried to make an adapter for the 9-pin Apple IIe joystick connector- not realizing the reason the Apple joysticks were so damn expensive was because they were analog.

Not for my last 6 computers have I seen a 9 pin serial port.

It's almost as if some people just really want it to be legal to destroy human embryos.

Since they're not your embryos, why do you care?

Nice to see breakthrough research like this coming from a single-payer healthcare system like the UK. When people start saying that the only places that can afford groundbreaking medical research are the ones where the "customers" pay a fortune, it'll be good to be able to point them to things like this.

Simon

I don't have rabies, you insensitive clod!

What keeps me (or my malware, respectively) from opening a google page in the background (i.e. not visible to the user by not rendering it but making Chrome consider it "open") and fool the dongle into recognizing it and the user into pressing the a-ok button?

A machine that is compromised is no longer your machine. If you want two factor, use two channels. There is no way to secure a single channel with two factors sensibly.

When methheads try to rob your county house in the middle of the night, you will wish you had a gun.

When methheads try to rob my county house in the middle of the night, I will also wish I had never moved to Texas.

I know you are "joking" but why is it bad that each human has a right to defend and protect oneself from injustice?

I know, right? Currently, I am defending and protecting myself from ethics in game journalism.