It's becoming increasingly difficult to live a safe life online relying on the password, as even the most intricate password is useless if someone finds it and posts it online.
That's why the two-factor authentication industry has exploded. It means in its most literal form a second way in which you verify that it's you logging in, from a text message or phone call to a pop-up on a separate device. Even though it adds a layer of friction to signing up to and logging into services, which can stop a (lazy) user from wanting to log in, the result is a far tighter security package. As long as you have your phone, the other person won't be able to log in.
An aggressive example of this was by Christopher Mims, a reporter for the Wall Street Journal. He published his password in a nationally-read print newspaper and turned on two-factor authentication. He revealed in a follow-up piece that two-factor worked in theory: that nobody got into his account, but Twitter publicly showed the number being pinged for the two-factor code. To quote Mims:
In other words, I think I proved my point: Even when I exposed my password in as public a fashion as possible, my account remained secure. Inadvertently, I also revealed an issue with Twitter's system that, should their engineers rectify it, will only make the system better.
Venture capital has followed--in the last few months, Duo Security raised $12m and Authy raised $3m alone. In July, mobile identity firm TeleSign raised over $49 million, off the back of a successful two-factor authentication business that Forbes reports covers 9 out of 10 of the top web properties.
Some companies complain that two-factor authentication interferes with the overall usability of the web experience. However, a collaborative academic report by the Internet Society--combining the work of PARC (Xerox's research/development arm), University College London and Indiana University found that two-factor is perceived as usable, based on the cognitive strain, ease-of-use and trustworthiness required by a user.
There's little or no reason beyond wanting to slow down the flow of getting more users, and it's even become ridiculously easy to integrate two-factor into any app. In October TeleSign, potentially using some of the aforementioned funds, created a Free SDK for building Two-Factor Authentication into any app. While Duo offers a similar SDK, TeleSign is apparently focusing on the ease-of-integration, one of the many reasons that some apps that could use a more security interface haven't integrated two-factor.
Even then, there're still issues with two-factor. The Unofficial Apple Weblog warned of the new functionality in the latest Mac OSX that forwards texts directly to your computer--so that if someone happened to be using your computer with your password, or had access to your iMessages, they could get your two-factor codes. This is similar to those who happened to use their web-accessible Google Voice number to have their texts received in a browser, or using Motorola Connect with a supported phone to receive text popups.
Criminals are crafty and the result is that it's impossible to create an unbeatable solution. Clef last week received $1.6m in funding to focus on barcodes over the simple pins that you receive via SMS in most two-factor authentication situations. Killing passwords is a tough task--but it now even has heavyweights fighting the battle like Mastercard. Here's hoping.