A number of recent high-profile online account compromises clearly shows the need for strong passwords. As in several cases, it also demonstrated clearly that security settings that depend on secret answers to public questions are insufficient. The most notable of those compromises was probably the Sarah Palin Yahoo account hack

I am not sure when it happened, but Google caught on to this as well and introduced a well-known form of two-factor authentication that can be used for account resets. By telling Google even more about yourself (in this case, registering your SMS-capable cell phone number), they will be able to send a password reset token to your phone.

Using SMS messages as a secondary authentication factor has been used extensively by several European banks and is used to authorize payments made through online banking systems. Every time an online transaction is made, a one-time password in the form of a transaction authorization number (TAN) is sent to the registered cell phone numbers. Payments will only be processed when the web site user is able to produce the correct TAN.

I am glad to see that such relatively simple measures are making it to the mainstream online service providers. While not perfect, security practitioners have been opposed to weak (knowledge-based) authentication schemes for a long time.

Hopefully, this initiative will be picked up by other service providers soon.