In January 2005, the payment card industry issued the PCI data security standard, which included this nugget: "Implement two-factor authentication for remote access to the network by employees, administrators and third parties." Last October, the Federal Financial Institutions Examination Council, which creates the standards for federal audits of U.S. financial institutions, issued guidelines stating that single-factor authentication was "inadequate" for Internet-based products and services such as online banking.

In the wake of these mandates, financial institutions are also finding out how expensive and operationally challenging it is to require users to remember a password and also possess some other mechanism, such as a plastic token, to log in. But in any event, it's probably time to take a step back and re-assess the alternatives.

Security professionals have traditionally defined two-factor authentication this way: using something you know -- usually a password -- along with either something you have, such as a card key, or something about who you are, such as your fingerprint. The idea behind this approach is that it would be virtually impossible for a criminal to simultaneously be in possession of two of these types of authenticators.

This is where theory runs up against some hard reality. Password management already chews up huge amounts of IT resources, with password resets accounting for roughly a third of help desk inquiries in many companies.

Add to this the prospect of implementing new hardware and software on employee laptops to handle card-key swipes or fingerprint scans, or requiring customers to always carry another card or token on their key chains, and suddenly you're facing an enormous financial and operational undertaking.