This is a horrible solution. I don't care what security experts say about two-factor authentication. I'm not about to start stuffing my pockets with a pile of security tokens. I have more than enough keys on my keychain, thank you. Unless everyone can agree to use the same physical token, I simply refuse to use a service that makes me carry an extra piece of junk with me all the time.
Although slightly ahead of its time for the masses there are implementations which do not require you to carry another device. You can use your telephone and be provided with your second factor via voice, sms or application running on your smartphone.
It's a particularly horrible solution when your bank decides to replace their existing clever nigh-impossible-to-sniff multi-factor authentication system with a little dongle sent to your home address whist you overseas. Specifically, I need it to pay off my credit card bill with the same bank; I can still log in and shift money between savings accounts at will.
Ah, but I can still pay my bill by telephone and all I need is to dial in the card number when prompted...
The only problem with this, is that it requires everyone to trust a single third party with the authentication. Since the input space that you type in is small, any one-way encryption is easily reversible. This means for every site that the code is good for, you would need to reveal a means to generate the code, rendering it the password problem all over again.
Alternatively, the key-fob could have an arrow to select which site to show the key for, but that would be cumbersome. Personally, I think that a solution similar to the ssh one would be best in that you have some sort of pass phrase that you type into your browser, and it unlocks a private key that can prove your credentials on web sites.
Lastpass is awesome and even with google authenticator if you do not have your phone with you they give you the option of printing out like 30 one-off codes in case of situations where your phone is dead or missing.
That's a problem with cell-phone providers who overcharge for SMS. An SMS is almost free nowadays, in some cases it actually is free since it goes over channels that would otherwise go unused. SMS seems like a good, cheap, ubiquitous solution for most of the developed world.
From horrible providers, yes. The big three legacy operators in Canada charge 15 or 20 cents per unless you're specifically on a plan that includes a larger allowance.
It's easy to negotiate to get them for free when you have any amount of leverage on the provider, but out of the box you pay.
It depends on your contract. In general, by default, you pay a bit for every text (10 cents maybe?). But you have the option of paying a flat rate for unlimited texting, which is generally something like $10/month. Most people I know choose that option.
Let me ask again the parents question for clarification. Do people really pay for the received sms-es? It sounds like total bullshit, because you don't have an option not to receive sms from a person, like you have with calls.
Absolutely (in the US here). Some carriers will allow you to block all text messages, which can get rid of the annoying ones you wouldn't want to accept, but also forces legitimate ones to get eaten - causing some people to think you're ignoring them when you actually had no idea they even tried texting you in the first place.
