Two-factor authentication is a system in which two different factors are used in combination to authenticate a user. Two factors, as opposed to one factor, will deliver a higher level of authentication assurance. The combined factors could consist of:

• Something the user knows (password or pin)
• Something the user possesses (smartcard, PKI certificates, RSA SecurID)
• Something the user is or does (fingerprint, DNA sequence)

The first option is the easy choice. Passwords are used everyday for a multitude of purposes. The third option is usually some sort of biometric – not a good choice for the web environment. "Something the user possesses" is the best second factor for authentication. Almost all web-based, two-factor authentication solutions available today involve some form of hardware token, such as the RSA SecurID. Distributing these tokens to users is neither cost effective nor scalable in price. A company might be able to afford tokens for 1,000 users, but one good blog post and they could find themselves with 30,000 new users overnight. Requiring users to obtain a hardware token on their own is too much work for the vast majority of users. In addition, tokens have to be synced with special server software, which can often require a proprietary license.

[...]