There is an old RFC that explains the problem in very simple terms. Security need to be transparent, or it fails. If the user need to see and use security in order to be secure, the user will eventually do something to render the security ineffective.
If you got passwords, users either pick easy ones or write them down next to the device that needs them. If you require physical "key" items, user leaves the key next to the computer that needs it.
When designing a security system you need to acknowledge this limitation, and design the system with it in mind. Running between "something you know" (passwords) to to "something you know and has" (Two-factor authentication like password and phone), and now back to only "something you have" (an USB key) won't solve the problem.
Because they're expected to be kept on a keychain which is commonly kept in one's pocket and which you'd rather not have filled up with chains and bulky cases?
That's just their small device (NEO). I have two of their normal sized one that I use for several sites already for 2-Factor. The YubiKeys are actually pretty robust and safe enough to keep on a keyring.
The key to this is to still require something that you remember like your username (and/or a password), they will get stolen and it is too risky for these tokens to be the only authentication factor.
As long as users are educated that these tokens should in all ways be considered a set of keys then security can only be improved with them.
In one place I know, the company combined the door key and the computer key into the same device to practically force people to take the key with them when they leave. They reasoned that if users can't leave the building without unplugging the key from the computer, then that would be that.
Of course, people still leave the key at the computer when they go and eat, bathroom, or when they leave the building as a group.
I have known a fair few people over the years who have had security tokens --to be able to login at work.--
For work purposes, i.e. you need it to do your job so it may be required at any point. TFA is saying people will leave it just by the PC they use most often, i.e. at home, which defeats the point.
I think the use of smart phones for 2-factor is the way to go, since it is not something else I need to carry around. Up until recently Barclays Bank (in the UK) had a fairly bulky card reader which I would insert my card, tap in my pin and it would generate a secondary password (I also have to chose letter X and Y from my password). They now have a smart phone app. Much simpler for me now.
Most of that can be taken care by a password storage, such which is included in most browsers already. However, currently browsers do lack a mechanism for creating a random password, so users tend to write during registration what ever gives them the easiest way to click continue.
> currently browsers do lack a mechanism for creating a random password
That can be easily solved by integrating a good password manager into the browser. There are plenty of plugins that automatically generate random passwords, insert them into appropriate form fields, and save them in a secure "vault" that is synched across devices. It shouldn't be too difficult for browser vendors to offer such functions by default, and gradually upgrade them to incorporate newer standards.
At least, it will be much easier than getting everyone to purchase a physical device, and it's even backwards compatible with existing sites that will probably stick around for another decade or two. I doubt that any solution to the "password problem" will be viable unless it were backwards compatible.
If the security is to authenticate a user, how do you do it without the user's participation?
You could go for biometrics. But that creates a new problem - unless you're deeply paranoid, you'll leave plenty of DNA, fingerprints and pictures of your irises, without thinking of them as security holes.
You could tie it to the device. But that's no good when you want to check your email on a friend's computer. And if your phone gets stolen with full access credentials... The device is not the same as the user. So I don't see how you can avoid some combination of 'something you know' and 'something you have'.
There is no silver bullets for now, so one need to design the system with the knowledge that any nontransparent security will be made insecure by the users.
What does that mean in practical terms? It depend. It can sometimes mean to move the question of validation to a third party. It can sometimes mean multilayer security, so once the first line of security features goes down, the damages done can easy be reverted. It can even be insurance against liability so the user's security mistakes do not damage the user. In some cases, one could have a complex revalidation system instead of an complex validation system, so that its first when a user switches a device (say a phone) that all the non-transparent security will show itself. It all depend on the exact details and what the exact threat model is and who the intended user is.
This is why in my mind, articles like this one are missing the point. They are trying to announce a silver bullet, when such thing does not yet exist even in theory.
That's not IT issuing you a new password, that's you changing it. The point is that biometrics are perfectly feasible as one of the two factors (instead of something you know) and can still be revoked.
I also don't leave my password on everything I touch.
Biometrics are a terrible idea. Password + token is much safer and infinitely revokable. And the server can even tell when an HOTP device has been cloned.
It's really only workable when authing to the device. Not over a network. I'd basically assume that anyone can forge your biometric info, so it's only applicable in scenarios where the forgery is hard to execute.
The difference probably stands in what it's meant to protect. If it gets stolen, it's not only a car, it's the key to your personal identity, along with maybe bank account, email, work secrets, etc. Losing that key would stress me much more than losing my car keys, even more if it just works in any computer with a USB port.
I don't disagree with what you wrote about going back the "SYH" being not that smart but...
It's not transparent when my 65-years old mom uses a physical device not connected to the computer, in which she enters her identity (Java SmartCard) card and perform a manual challenge/response to login and do her online banking.
It's a pain for her: it's SYK+SYH but it beats going to the bank all the time... So it's not transparent but it still works because she doesn't really have the choice.
If you got passwords, users either pick easy ones or write them down next to the device that needs them. If you require physical "key" items, user leaves the key next to the computer that needs it.
When designing a security system you need to acknowledge this limitation, and design the system with it in mind. Running between "something you know" (passwords) to to "something you know and has" (Two-factor authentication like password and phone), and now back to only "something you have" (an USB key) won't solve the problem.