Two factor authentication is a funny thing in 2013.
All computer users understand passwords (and the basics of password complexity/secrecy) at this point. That covers the "something you know" factor.
Many users conceptually understand a "something you have/are" factor in the form of biometric scans or smartcards. Unfortunately, those approaches are not practical to deploy outside a controlled enterprise setting.
On the Web, the only approach that isn't a non-starter today is TOTP, what Google Authenticator uses. Unfortunately, basically zero users understand this, creating a large education issue, and frankly it's a pain in the neck for users ("why do I need to go find my phone to log in??"). The upside is it's easy for Web app developers to integrate TOTP, and it adds significantly to account security if used correctly.
Facebook and Google have offered this as an option for quite some time, and with Twitter's current prominence as part of corporate advertising, I am surprised they are this late to the party.
I really, really wish you were right when you said "All computer users understand passwords [...]". I frequently end up doing a lot of support stuff for my father, and he's not really that old.
His line of work has him dealing with some pretty sensitive material, and a two-factor authentication is required for it... something that, when introduced, was a source for many calls and angry shouting. I could have deferred this to their tech people, but I'd much rather spare them the anguish. ;)
Bottom line: It's getting better, but you are still, unfortunately for us all, way too optimistic.
> Unfortunately, those approaches are not practical to deploy outside a controlled enterprise setting.
In what way? Bloomberg uses custom hardware developed in-house (the "B-unit") for four-factor authentication (password, biometric, visual sync, token). These devices are sent to customers all over the world where there is no control over them. All of the device and biometric enrollment is done through the software remotely when the device is received by the end user. So in my experience it is definitely possible to do this outside of the typical employee/enterprise scenario.
How are smartcards not practical outside of a controlled enterprise? The biggest issue I see is that most people do not have smartcard readers, but that could be fixed pretty quickly.
In finland there was an serious attempt to use smart cards for general populace. It didn't pan out mostly because nobody had card readers and it had to compete with OTP based solutions which didn't require extra hardware.
All computer users understand passwords (and the basics of password complexity/secrecy) at this point. That covers the "something you know" factor.
Many users conceptually understand a "something you have/are" factor in the form of biometric scans or smartcards. Unfortunately, those approaches are not practical to deploy outside a controlled enterprise setting.
On the Web, the only approach that isn't a non-starter today is TOTP, what Google Authenticator uses. Unfortunately, basically zero users understand this, creating a large education issue, and frankly it's a pain in the neck for users ("why do I need to go find my phone to log in??"). The upside is it's easy for Web app developers to integrate TOTP, and it adds significantly to account security if used correctly.
Facebook and Google have offered this as an option for quite some time, and with Twitter's current prominence as part of corporate advertising, I am surprised they are this late to the party.