We could do a
less secure, but more-secure-than-passwords
alternative,
which is to use email or SMS as a one time
password device. SMS is
obviously more secure than email, but would require us to ask people
for their phone numbers. We could also make a PKI
infrastructure, and
allow certificate login, which is obviously safer
than passwords.
The real problem with any system stronger than passwords, is that it
requires a level of complexity that would be difficult for us, and
either annoying or very confusing for users.
Respectfully,
Ryan Lane
OpenID?
The account my own OpenID is tied to has two-factor authentication.
As mentioned in another post, I think we should support OpenID as a provider
and a consumer. It pushes the authentication problem elsewhere, but that
elsewhere could be more secure that what we are providing, assuming we are
providing OpenID over SSL. Unfortunately, that elsewhere may be less secure
than us, but that would be the user's choice (or problem, if they don't know
their provider is less secure).
Like other methods of authentication, though, providing OpenID as a consumer
is confusing for end-users and difficult for us. There are a number of
usability issues associated with OpenID that haven't been tackled well yet.
Respectfully,
Ryan Lane