We all know username + password doesnt meet the basic requirement of "something you have and something you know"... its more "something you know and something you know". If more developers were using centralized identities, it becomes cost effective to secure these centralized accounts with physical security measures rather than passwords.

For example a physical authentication like linking an account to a mobile phone (it sends u a text with a unique key to login) or using a token like this - http://us.battle.net/support/en/article/battle-net-authenticator-faq simply cannot be cracked, no matter how irresponsible or uneducated the user is about security.

If you had a single online presence it could be linked to a physical form of authenitcation and the web becomes a much more secure place. You can't have this though until people stop doing two things.

- Stop blaming your users as if it is a solution to the problem.

- Stop re-inventing the wheel when designing login portals, its too complicated and the risk is too high.