Couldn't agree more.

People are claiming 2-factor auth to be the wrong, while in fact it is the right answer... if you keep in mind the original question; now they're changing the question and, unsurprisingly, finding the answer to be wrong.

What is "Ultimate Answer to Life, the Universe, and Everything"... everyone should know this..: 42.
Now what's the ultimate question!?


I happened to reflect on this a while back and what I think (IMHO as it is now) would work best right now would be some kind of "Reverse Password" (TM). By that I mean that the site you are logging into should do somekind pre-auth, for example username + one time password (eg: rsa token), then if credentials match, the site display the pre-arranged "Reverse Password" (which you could provide at registration time for example). User verifies*, purely by memory, that said "Reverse Password" is in fact the one he originaly registered, after which, in the same page, user is prompted to provide his password/PIN. Mutual authentication is accomplished.

*Of course, this requires that you educate your users to ALWAYS make sure that when they are accessing your site (or even services like ATMs for which this could work) that they are SHOWN their private and unique reverse password before completing their login.

While this process is conceptually similare to cryptographic mutual auth, I believe that making the process at reach of un-technical users by making it easy to verify the site's authenticity (as opposed to deciphering x509 certificates, which have also been socially engineered in the past) would make the process much more efficient at preventing pishing (although it does not protect against pure network level MITMs; again right answer to right question...).


Comments, critics?


Ammo


Edit: Seems the idea has been thought of already (would have been surprised if not!); variants on this scheam have already been implemented under the appelation "site key" by Bank of America for example.