Do you use PayPal when you are out and about and need to have the Symantec two-factor authentication card with you at all times? If not, I would consider keeping it somewhere safe and nearby (but not at) your computer.
Ultimately, though, I would suggest calling PayPal customer service and asking them how the device should be carried.
I do not usually use PayPal outside of my main computer so I could technically keep the card at my desk stored away. My main curiosity was more about the durability of the card itself if I were to place it in my pocket.
does this do anything better than the open standard that you can put on your phone? seems like a big hassel for something that already exists.
As far as the Google Auth App on the phone, they do not use that. Instead, it sends a text message to your phone which you then enter into their code box. I see both that, and the Google Auth App as very similar as it is a single used token based on time.
I do not always trust the Google Authenticator app, because I saw a small issue with it:
I installed the app on both my phone and tablet, scanned in the QR code for the system I was wanting to log in with. On the phone, and the tablet, there was roughly a 5 second delay between the phone and tablet with the code generation. (even if I launched the app at the same time on both devices). Since each time generation is 30 seconds in rotation, launching each app had it's own code.
On the phone for example, it would have a code of 984914, the tablet would have the code of 148556. After the tablet code expired, it would change over to the 984914, the phone would change over to a new code, later to be echoed by the tablet. This for whatever reason bugs me.
I own a Yubikey which I use on as many sites that support it allow. It generates a OAUTH code which is never ever repeated. If a keylogger for example was to read your password, they would be left with my username and password, and the 48char OAUTH code. Since the code is now invalid, it will not allow a log-in.
Another fascinating new secure authenticator I have run across is called "Clef" which is radically different. I have tried this on some of my personal web sites I maintain and so far have been amazed at how slick the log-in is with that. In short - you load the app on your phone, after the initial handshake with it, you no longer need to open the Clef App, simply click on on the button on your site and it syncs with the phone in the background. This articulates it way better than I ever could.