Well, Android devices do have "Trustzone"s, where keys are bound to the hardware, and user's identification (pin/password) Sadly, Google Authenticator doesn't seem to be using that. AndOTP does have Android KeyStore backend, which is using Trustzone.