The password isn't dead until it's dead everywhere

Adding two-factor authentication has been a topic for years. Unfortunately, security doesn't stop at adding 2FA to each single website.

We'll talk about why deploying Google Authenticator-style OTP isn't enough:

• Managing OTP data for every site is tedious.
• The tedium of tracking the data encourages use of Authy and 1Password.
• Authy and 1Password have reduced the popular approach to not-really-two-factor.
• Attackers will re-use passwords captured on compromised sites on systems that don't require 2FA.
• Compromised websites can be a vector for attacks to other systems behind the same firewall, often using captured passwords.
• Backends like LDAP or RADIUS make the problem worse by enforcing use of the same passwords and OTP secrets everwhere.

And what you can do:

• Use federated identity:
  • For public users: support login with Google+, Facebook, Twitter, Microsoft, or other services
  • For internal users: using Google Apps or SAML
• Use real hardware tokens, including the new, cheap U2F ones
• Isolating website and internal networks