[orib]

With RSA private keys, users don't see or manipulate them directly (usually). With a private-key based security system, most users would go "Huh? what's a private key?" if you asked them to send it.

With biometrics, you can't send them over a phone or over the internet.

Social engineering will always be a problem, but passwords are far easier to obtain with social engineering. Biometrics and so on reduce the number of attack vectors.

[epall]

But, then you've got to keep track of this "private key" thing that's completely intangible to users. What happens when they switch machines? What about when they accidentally format their hard drive? I think having a physical USB dongle would really be the way to go. Plug it in wherever you are, swipe your finger to unlock it. You've got two-factor right there in a simple, easy package. Now all we need is an operating system and environment that would support such a device...