Almost exactly a year ago in my blog on Information Security Themes for 2013, I said:
"Passwords suck. Passphrases are just long passwords, and they also suck. Every two factor scheme out there really sucks – mostly because I have so many different tokens that I have to carry around depending on what I want access to."
And I was right. In 2013 we've seen password dumps and cracking that make 2012 look trivial. This problem is not getting better, and with all the excess GPU capacity, it's getting even easier for anyone and everyone to crack passwords. There are certainly cryptographic solutions being developed, such is PBKDF2 (if you still trust RSA) to do key stretching, but they can't be retrofitted into existing systems, and the existing systems and all their juicy data will be around for a very long time.
So where are we at the beginning of 2014? Same place we were last year, and my advice hasn't changed. Instead of trying to authenticate the user, we need to instead authenticate the transaction. And that is still a hard problem that our backward looking way of thinking makes even more difficult to address.