The Heartbleed Bug serves as a compelling reminder of the inherent flaws in a security approach founded exclusively – or even primarily – on the password.

In addition to a password, New Jersey online poker sites are required to offer a “strong authentication” login option. The most common option is a PIN sent to a player’s email.

But that measure has fallen short of some players’ expectations, including Michael “Gags30” Gagliano, who recently started petitions on TwoPlusTwo calling for WSOP.com and Party Poker / Borgata to beef up account security options.

Gagliano and others argue that email-based strong authentication fails to protect players whose computer has been stolen or compromised by a keylogger.

The proposed solution: security tokens, standalone hardware (such as RSA SecurID) that generate a second, random key needed to access your account on top of your password.

Such tokens are a common option at major international online poker sites. So where do New Jersey’s online poker sites stand on the issue of adding security tokens to their sign in process?

Party / Borgata “evaluating the possibility” of bringing security tokens to NJ client

The Party / Borgata client currently offers strong authentication in the form of a PIN sent to a player’s email. A small number of players have reported delays receiving the email.

When asked about the possibility of adding security tokens for New Jersey players, a PartyPoker spokesman said: “We currently offer dual-factor authentication for our .COM client. We don’t yet have this available for .NJ, but we are evaluating the possibility of adding it.”

So what stands in the way of RSA tokens for New Jersey online poker players?

“It is not a case,” the spokesman continued, “of simply enabling the existing functionality we have in place for .COM – NJ has an additional layer of strong authentication which requires a player to specify a 4 digit pin if opted in.”

“Our hope is that RSA tokens could replace this but we need to understand our regulatory position and also the approximate effort required to implement.”

Ultimate Poker already offers mobile-based dual-factor authentication

Ultimate Poker NJ already provides what I would consider to be superior strong authentication.

When a user opts-in, they require both a password and a PIN that is sent to their registered mobile device in order to log in. This approach mitigates fears of a compromised computer undermining strong authentication.

An Ultimate representative told me that the room has plans to add even stronger dual-factor authentication, but that there’s no firm timeline in place for adding such features to the client.

RSA tokens coming to 888 international, plans for NJ unclear

Like Party / Borgata, 888 NJ and WSOP NJ also employ the PIN via email method of strong authentication.

Unlike Party, 888 does not offer a RSA token for their international client.

An 888 rep on TwoPlusTwo told players back in January that “something is in the works and should hopefully be implemented in Q1/Q2 of this year.”

Head of WSOP.com online poker Bill Rini recently indicated that there are “no plans in place” to add RSA, but that he would personally “like to see some sort of dual factor authentication as an option for players who want it.”