@Kim: That's what I thought too. But I've been using facial recognition to unlock the phone on my Samsung Nexus for quite a while and hardly it has given me any errors. Given the use of HD webcams, I guess facial recognition technology can become quite widespread.

Point taken Rob, and I could do that for two or three things I really need to protect: but I use something like fifty or sixty passwords in my everyday life.  Either I put all my eggs in one basket my using something like LastPass, or I use much simpler (and repetitive) passwords and pins.

I had not heard of Yubico until I read this article. It seems like an interesting concept, but I am skeptical. Google is definitely becoming a hardware company, as evidenced by their acquisition of Motorola Mobility. Yubico would fit into their plans well. 

I'm just not sure straight up hardware is the answer, but perhaps a combination of hardware and biometrics? That makes more sense, given that devices can easily be stolen. A singular device theft may not be as bad as password theft since there is a one-to-one ratio, but retrieving hardware or disabling it may prove harder than jist resetting a password. 

@taimur_tz

I took the picture of a friend on my mobile and put the screen on his phone's camera and it unlocked. See not a very good option after all. Even if they fix this thing still there are going to be more problems.

Kim:

...passwords which aren't very long and complicated (too long and complicated to be remembered).

I'm not convinced that a secure password needs to be as complicated as we make it out to be.  A secure password doesn't need to look like a string of masked obscenities to be secure.  A P455woRd! can be secure even if we make it 5om3Th1ng? that a dic710N@ry doesn't recognize, but that we can visually make out and recall for ourselves.

We may need, instead of a new system, just a MADD-style campaign to change attitudes in favor of 30 or 60 day password rotation.

For now, users will have to value security enough to deal with the inconvenience.

That's the issue in one phrase.  Security is one end of the spectrum and convenience is the other end of the spectrum.

Solutions that favor security at the expense of convenience - no work!

Solutions that favor convenience at the expense of security - no work!

The organization/person that finds the solution that is in the middle of the spectrum - secure enough and convenient enough - is going to make a ton of money!

Is the margin or error significant enough to discourage its use as a aviable alternative to passwords?

I do agree that the device as an alternative to a password falls far too short as a suitable solution. It is simply to cumbersome to have to deal with.

The solution is clearly still out there to be found.

taimur_tz - But would it continue to work if the user suffered a hand injury -- even a minor one?

As per your comment on cloud data being vulnerable to compromise; what about encrypted password managers? They have pretty well proven that they can keep intrusions at the cloud source protected.

The way I see it, the trick is to use authorization techniques that have a random element in them so even if the crook cracks a data source, it will do him no good. The point of authrization could not be replayed, and the ID of the user would be useless to them. I feel this is possible.

I disgussed this before in another post about MagnePrint; however the DARPA project is obviously about only needing the user to authorize. I still feel a similar scheme could be derived using the same concepts, just not the need for a card or other physical device, like a key-fob for this to work.

I think using facial recognition with a 3D algorytm, may produce the same type of result. A replay would be practically impossible, because the chances of a match at any given time would be almost impossible. If the scheme detected a false possitive, the user could simply smile, and clear the problem up! :)