To use an OTP system securely, the calculator device/program can't store the password for you, otherwise the device, if stolen, can be used to log in as you.
Yes, by omitting the password you get weak authentication (single factor) instead of strong one (two factor). In reality you can find many commercial OTP tokens which are not directly protected by PIN/password. For example see:
* SafeNet
eToken PASS* VASCO
DIGIPASS GO series* RSA
SecurIDAll of the above widely used products allows sending the PIN/password together with the generated OTP so the token (rockboxed player in our case) does not need to allow entering PIN/password. Of course this solution is less secure but it is being used widely.
I agree that entering alphanumeric password or OTP challenge into a player is really awkward so it is better to:
- use response only OTP
- use above mentioned solution with sending password together with OTP or
- use a special password like sequence of directions (I think all the players have direction keys) instead of alphanumeric characters