The speed at which even complex one-way passwords can be cracked is increasing.
Twitter recently determined that it had no option other than to introduce two-factor authentication to its media accounts.
How long before that will spread to the rest of us?
Now, before you start wondering whether you're going to end up with a little token in the post for every system you're trying to access, that's not how I see this working.
What I see happening, is that the web site publishers will also publish an app for your mobile phone. When you've downloaded it, it will generate a "key" number which you type in to your web site "profile".
The app on your mobile phone, and your logon details for the web site, are now "linked."
In future, whenever you log on, you're not only asked for your user name and password, but you're also asked for a number as well. You simply fire up the app on your phone, press a button and it generates a number for you. Type that number in to the site and it should then let you in.
What if you upgrade your phone?
Simple. Just log in to the service using your old phone, and re-set the number using the new phone. Easy.
There is another way ... log on using the old phone, and if the web site is clever enough, it should be able to display a Q-code in the "password change" section. Just take a picture of the Q-code with your new phone and it should immediately be able to pick up the old key and continue using it.
The Q-code approach could also be used to allow secondary devices to synch as well, ideal for broadcasters who need to share one "broadcasting" account.
Yet another way, get the old phone to bluetooth all the numbers straight to the new one! Tada!
OK, so what if I break the phone beyond use, or it get nicked, or I drop it in my pint of beer?
The web site will need a mechanism to rescue your account; using your e-mail address to confirm who you are, before downgrading your account to a standard username/password account again.
Once that is done, you can access your account again and, once you're replacement phone is sorted out, you can re-use two factor authentication again.
This isn't rocket science ... and there is still an inherent weakness in the reset ability ... but I think it is fast becoming the way to go.