(1) To set up my 2-factor login, I send you a string of 260 symbols, to be interpreted as a passcard with 10 rows (0-9) and 26 columns (A-Z).
The problem with this method is that if you are sending this information over the internet then it has failed since most trojans record all HTTP trafficTheory versus practice. In theory, you're bugged all the time, forever. In practice, there is a notion of before and after. Yes, if you caught my code when I sent it, then I'm no safer (and no worse off). But if you came along *later* and started snooping around my computer, then I am safer.
More to the point, if you are in Bulgaria taking shots at my password (or if you got your hands on the password database and eventually cracked my hash), then you still can't log into my account. (Unless you also crack my 260-symbol random passcard -- good luck with that).
I'm not sure why practical measures like this are given little or no weight by the security community. They always seem to be seeking the perfect system, rather than looking for simple practical improvements. However, I freely admit that I don't know all the issues, so maybe they have very good reasons for taking that approach (like, having been burnt so many times in the past).
