I am amused that the two personal accounts I use that have an option of two factor authentication are Paypal and World of Warcraft. Both of those use my phone (Paypal though a one-time code by SMS, Battle.net with an application).
Halifax recently upgraded their system. Now, instead of remembering a username, a password and two of five facts about myself, I have to remember a username, a password I type normally, and a password that they ask for random digits out of, as if that’s significantly different from another password. In fact, the new password can only contain letters and digits, and isn’t case sensitive, so it’s a secondary *less secure* password. In fact, with new Halifax banking accounts being designated a username consisting of their surname and some random numbers, it’s now basically three passwords you need to remember, plus where you went to school.
I wonder if they’ve invested in 3M’s thriving Post-It note business recently.
Recently I was setting up a business bank account with HSBC. That _does_ do two factor authentication by default, with a device they send you in the post. However, the password was restricted to a subset of punctuation on top of normal auth. Worryingly, they specifically banned percentage, at, quote and semicolon symbols.
Two factor auth is technically and socially difficult, and doesn’t solve all the problems either, but three passwords to remember is even worse than one.