[brennenHN]

Many companies still charge $50/user/year for two-factor authentication (Wells Fargo wanted to charge me $180/year for it) and even programs that use smartphones can be expensive. What you're suggesting is that companies do it in-house, which is possible with a sophisticated IT department, but still takes significant time (cost) to implement and manage.

You're right that this technology is getting much better, but cost is still a barrier to entry for this space.

[gregdodd111]

I'm a programmer and it took me about an hour to implement and test a basic Two-Factor authentication algorithm using Google Authenticator. That includes creating the QR code, creating the secret string and calculate the current one time password. If you have a decent programmer for your web application then the one time cost involved is very minimal for the benefit that it provides.