Gmail supports 2-factor authentication as well: http://support.google.com/accounts/bin/static.py?hl=en&t...

It works by requiring your normal password, plus a one time password that can either be SMS'd to your phone, generated by an Android app, or one on a list that you've pre-printed and keep in your wallet.

Cool, didn't know you could pre-print lists. I think I prefer the FastMail way though. With Google, as I understand it, 2-step authentication is either on or off; you have to use it all the time, or not at all. (Application-specific passwords are an exception but not relevant to the issue with keyloggers and public computers.) With FM, you can always sign in with just your master password, _or_ totallydifferentpassword+one-time-password (and you can have multiple sets of alternative logins).

I don't want to deal with 2-step authentication on devices I trust (e.g., my encrypted laptop). I could switch it on and off every now and then, but with Google I'd always be typing my normal password (for me, generated by KeePassX and impossible to memorize) when doing the 2-step thing, right?

The "Remember me" feature works normally. There's a "remember this computer for 30 days" option that sets a cookie on the computer so that you aren't prompted for the one-time password again, just your regular one (if "Remember me" is turned off).

I actually really like this idea of a one time password being equivalent to a remembered session based on a cookie.

You get read only access with your OTP, and if you want to do something destructive or otherwise important, log in again with stricter authentication.

Making all of your account available all of the time from one basic login seems like quite a bad idea for a sensitive account.