General thoughts on two-step authentication for websites

[freakus_maximus]

Just wondering what/if experiences anyone has in putting together a two-step authentication, since CAPTCHA methods seem to be foiled even for some of the big guys (Google, Yahoo, etc..)

 

If you don't know, a two-step is normally a something you know (like a PIN) and something you have (like your bank card). Or a token that generates a random 6 digits that need to be used with a PIN, for example PayPal ships out tokens. I even just read that Blizzard (World of Warcraft) is going to sell tokens to do this two-step authentication to help avoid account hacks.

 

That's all great for a bank or any other big money making machine. But if you dont have the clients, the income or even the need to sell/distribute tokens then what can you do.

 

So, what do you think of a 2-step authentication that would implement a PIN and CAPTCHA?

 

My thoughts were that if the bots can bust the CAPTCHA, why not involve something the bots can't know (the pin).

 

And yes I know, nothing can be done about trojan/keylogging/phising scams. These are user/behavioural issues that you can only do so much education about. Really talking more about bots vs. CAPTCHA.