[SeoxyS]

Two-factor authentication is by definition more annoying than regular authentication. The solution to security is not to add annoyance for users, who will simply hate your product, or disable two-factor.

The solution to security is to come up with better and innovative security solutions.

Imagine that you had a "log in with iPhone" button, like the common "log in with Facebook" buttons. It would send down a push notification to your iPhone that shows a dialog "Log in to hn.com? Yes | No." Pressing Yes uses fingerprint-sensing capability under the touchscreen to send anonymized[^1] biometric information to provider to authorize the login with.

You'd also get a smartphone app to generate temporary login keys for when you need to give a friend access to your account, and get a 32-byte "master" key that can be used to unlock the account without biometric access.

[^1]: simply a HMAC / hash value using both the biometric data + the domain being authorized would deal with privacy concerns.

[sriramiyer]

I'm not a fan of biometrics (I have a fingerprint reader on my laptop) because you can't change your password once it's stolen.

The "Log-in with your iPhone?" could be coupled with some kind of non-biometric authentication and that would be better. But honestly, two-factor with strong passwords are more than enough. The dismal security scenario is mostly cultural, not technological.

[sk5t]

This argument is a tautology -- "make secure security less annoying by developing new less annoying but more secure approaches that will not be a barrier to user adoption and ignoring implementation complexity"... hmmmm.

[jwbaker]

Oh yeah, that'll be way more convenient. Right up until you need to login when your phone is out of batteries, not in wireless coverage, under water, etc.

[pavel_lishin]

"I wish I could log in and check my account balance. If only I hadn't burned one finger, and got a cut on the other!"

[nilsbunger]

I had this problem when I was applying for US citizenship. I was on the crew team in college, which means I had callouses all the time on my fingers, and thus blank fingerpads.

I applied for citizenship 3 times over a period of 3 years, and each time got rejected due to poor quality of fingerprints.

Finally I stopped rowing and then got my citizenship. I'm sure there's some way around it, but it was kind of amusing and frustrating at the time.

[Evbn]

Make a mold of someone else's and then wear those to your stamping.

[inopinatus]

That cryptographic "login with iPhone" thing has been done, albeit without the biometric dimension you've suggested. http://www.ekaay.com/?lang=en

Unfortunately the SDK is only available for PHP & mysql.

[laurencei]

"log in with iPhone" button" - that almost sounds like Two-Factor authentication...? :)

Seriously - how is that any different than turning on your iPhone and clicking on the Google authenticator app to get your code?