Before the Dropbox two-factor authentication release I didn't realize that the Google Authenticator was built on an open platform. My initial concern with using a third party tool like the Authenticator is that it could lock the user out if the external service was inaccessible. But the RFCs specify an algorithm that only requires upfront coordination with a secret and after that a new key is automatically generated every 30 seconds independently by each side.

Knowing this - and that it's a lot of extra development work in terms or account recovery, etc. - should two-factor authentication be standard issue in future web apps?

I say yea to using multi-factor authentication in general, despite the extra effort. I'm all for heightened security, especially for production servers. In fact, I've been considering using multi-factor authentication with my laptop with a Yubikey (yubico.com).

I definitely think that multi-factor auth should be an option everywhere. I wouldn't make it the de-facto though on consumer products, as it would probably hurt conversions.

I agree that it shouldn't be a required thing at signup. But it does seem like it should be an optional "next tier security" feature similar to what Google and Dropbox offer. How long it will take for it to be widespread as an optional feature? I know that AWS has a key fob you can get, but I don't think there is a multi-factor for my Amazon account.

Is the problem that the bar is too high for developers? Lack of knowledge of the standards and libraries? Lack of demand from customers?

Or am I wrong, and this is not actually that interesting for most people and probably won't ever be available as an option in every web app?

AWS does offer using google authenticator or any other TOTP based token generator.

It's probably too high of a bar for most developers coming from pre-canned authentication/authorization libraries. The standard is well documented and there are many implementations out there. You've obviously struck a chord with me as I've recently implemented this and am working on extracting it to a ruby gem.

We are the 1% when it comes to this, most people use multi-factor auth as a mandate from their internal IT department, I don't see people(consumer/everyday folk) lining up to buy the paypal fob or turn the option on in their google account.

Blizzard offers two way authenticators as well for their games. Mobile app and stand alone authenticator. there are 2 choses. Either all for code everyone to login or asks for coffee when account tries login from new IP. Hacked account numbers lowered tracticly