[rprasad]

If only they had built it with two thousand and one factors of authentication!

Joking aside, once you start down the road to two-factor authentication, you might as well go to three factors if you are truly concerned about security. Moreover, at least one of those factors would need to be based on physical properties, i.e., biometrics, or some other intrinsically unique property that can't be forgotten or copied.

[Jach]

It's only n-factor if you have n orthogonal keys. Typically "something you know", "something you have", and "something you are". In the same sense that two passwords isn't "2-factor", I wouldn't say that a finger print + DNA sample is "2-factor". The problem with "something you are" as a third factor is that it typically requires you to have some hardware to get that information, in which case it's just 2-factor again. And if we get the technology to read out brain dumps, knowing a password is just a part of something you are and we're back to 1-factor... Which suggests it's not the number of factors that are important, but the total number of bits of information involved and how hard it is for theoretical attackers to gather all those bits. Is your scheme torture-proof? I doubt anyone would prefer torture over handing over their phone+password to their gmail account. But most attackers aren't going to come torture you. A phone or a yubikey or what have you is immune to OS keyloggers which defeat passwords of any complexity, that alone makes them useful against a big class of attackers. What class of attackers does e.g. a thumbprint further defeat? It sounds like it's more useful as a reset verification than anything else--you can forget your password and lose your phone but you don't lose your thumb--usually. (We can also get the 'mark of the beast' and have chips implanted in our hands.)