All that user end security devices do is put more non-repudiable onus on the user, so that when it fails, the service provider is
Thus spake "Jamie Reid" <Jamie.Reid@mbs.gov.on.ca> protected,
and the user is cryptographically guaranteed to be SOL. ... and when the database gets compromised, nobody will believe that the user isn't responsible, because "The System is Perfect".
I hope this was in jest... All it will take is one expert witness to show the system is not perfect and there's hundreds of ways the bank (or even a smart criminal) could defraud the user.
Biometrics are an excellent example of this. They are a single factor authentication technology, maybe two factor if there is a PIN,
There are now techniques to copy latent fingerprints off surfaces and produce counterfeits that have been shown to fool _all_ commercially available fingerprint gear -- and it costs less than $2 per use. Biometrics is a failure because there is no shared secret; once a user submits to a test (either knowingly or not), the validator has all the information necessary to spoof that person _for the rest of their life_. S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking