Channel 9 Live: Final TechEd Countdown Show

Rick with Corey Sanders, Principal Group Program Manager, Windows Azure.
Could Azure include OTP two-factor authentication (like AWS) for login into portal?
Answer by Corey Sanders in the video at minute 23:24.
Two-factor authentication must comply, at least: 1) "something only the user knows" (aka password), 2) "something only the user has".
Two-factor authentication with phone or email are not effective because communication can be "known" by the service provider. Phone and email ARE NOT "something only the user has"
I found the following interesting article:
"Leverage Windows Azure Multi-Factor Authentication with Windows Azure AD", Philippe Beraud, Microsoft France
This white paper explains the differents options for Multi-factor authentication in Azure AD. In fact the Time-based One Time Password athentication (TOTP) (RFC 6238) is supported by Azure using a mobile app, but not using a token device.
On the other hand, AWS can use a mobile app or a token device (Gemalto), wich is much more secure because secret key is stored in a secure memory into token device.