The problem is that actual programs can be reverse engineered to figure out the algorithm of the phone-authenticator. Let's hope they use a seperate algorithm for the physical authenticator and the phone version.

Granted, given enough data anything can be reverse engineered. I just don't like making it easier to do.