I'm the one that wrote: http://seclists.org/bugtraq/2010/Sep/160

Yes, I'm aware that it's once per lifetime of the device vulnerability, and is non-trivial to exploit.


Another interesting conclusion to draw from the design documents is that the Mobile Authenticator Application
is far from a perfect two factor authentication scheme.  There's code in the wild that lets you pull out the SN/Secret Key
pair from existing installations reducing it to "Something you know" (Your password) and "Something you know"
(SN/Secret Key pair), which should be unique to the device (to serve as "Something you have").

Addendum 2011-11-11: It looks like they are discontinuing support for the application that I wrote this advisory for.  Since I had some cycles available I disassembled the Android version, and it looks like while the protocol used is identical, they are using a cryptographically secure PRNG during initialization so the process should be secure.