Not all second factors are equal. A code texted to your phone can be intercepted, SIM-swapped, or phished in real time; a physical token in your hand cannot be copied over the wire. The MFA market's quiet truth is that the form factor of the second factor determines how much security you actually bought.
Capital One Services, LLC's US11647016B2, “Multi-factor authentication using customizable physical security token” (issued May 9, 2023, from a 2022 filing; CPC H04L 63/083 — password/secret-based access, and H04L 63/0435 — symmetric-key encryption), describes using a customizable physical token as the authentication factor. Read it at US11647016B2.
Mechanically, the token participates in the authentication exchange as a possession factor — something you physically hold and must present — layered on top of the password (knowledge factor). The “customizable” framing points to a token that can be provisioned for an institution's specific flows rather than a generic one-size dongle.
Why this is a business story for the markets desk: a bank, not a security vendor, holds this patent — a reminder that financial institutions are among the largest spenders on and patenters of authentication technology, because account-takeover fraud hits their P&L directly. The shift from SMS codes toward hardware tokens and, later, passkeys is a multi-billion-dollar reallocation of fraud-prevention spend, and patents like this mark where the regulated buyers placed their bets.
The grounded read: physical-token MFA buys real phishing resistance that texted codes cannot, because possession of hardware cannot be intercepted remotely. Capital One's grant names a customizable-token approach — evidence that the heaviest authentication spenders are the banks defending their own fraud losses.