I feel the idea of public key encryption could be done without a phone but the device locking makes it harder to transfer the token off device. Like the parent comment said, I think 90% is all we can aim for. Nothing is going to be perfect.