The harder and more onerous the process is the more likely users will circumvent security through poor practices. There is much work to be done on this and we, as an industry, desperately need a solution that ANYONE can use from ANYWHERE that allows this.

The biggest issue that I see is access to stored passwords from remote locations (considering that mobiles are not always allowed or often some websites cannot be accessed too). Not everyone works from the same office, home or even devices. Ideally, what we are looking for is the equivalent to Single Sign On for the web.

I thought that the federation described (i.e. Microsoft Live accounts, Google accounts and OpenID) might resolve it but we are not quite there yet.

BTW I am not documenting my security measures here 😉