I'm a big fan of using mobile phones, especially smart phones, as security tokens. If the user locks the phone with a passcode, then it's a pretty good bet that your token is in the right hands. And, unlike little hardware tokens, nobody leaves home without their phone anymore. In addition to applications that might send me a token by SMS, I have three token apps on my smartphone: Symantec VIP which I use for Ebay, PayPal, Symantec MSS, remote login to one of my clients, and some others. Google Authenticator for various Google accounts and for WordPress. Duo Security which I use for my own SSH logins. This was cool until I went into a swimming pool with my iPhone in my bathing suit pocket.
Short answer: much more than you think. Recently I heard a fascinating Planet Money podcast on a project called Project Eavesdrop (podcast here) which NPR's Steve Henn conducted jointly with Ars Technica's Sean Gallagher and Dave Porcello, CTO of Pwnie Express, who make penetration testing tools. The point of the project was to determine what you could find out about a person's internet activities by passive monitoring of their Internet traffic. They monitored Henn's smartphone when it was connected to the WiFi in his home as an analogue to a signals intelligence service's (e.g., NSA or GCHQ) monitoring of the internet backbone. The results were astounding. Henn invited Gallagher to install one of Pwnie's devices in his home office so that Porcello could snoop away at his phone's online footprint when connected to the WiFi hotspot. To be clear, the Pwnie device's WiFi was secured with WPA, so this was not an over-the-air snooping test. This was a simulation of what was being disclosed over the backbone.
Develop a transition strategy for a successful Windows 10 upgrade, and make this migration your best.