Re: What's the fallback mechanism?
Why is something better needed? If most people are using bad passwords, it seems safe to conclude that they consider theft and destruction of their data and other assets acceptable. That means passwords are an acceptable solution and therefore something better may be desirable but is not necessary. If that outcome were *not* acceptable, presumably those users would choose strong passwords, which would achieve the desired result.
Note how this is different from, say, a system of authn that relies on 4-digit numeric passwords. Since it is not possible for such a system to provide strong security for any user, if that were the most popular authn system in use we would indeed need a better one. Oh, right: in most of the world, that *is* the most popular authn system, and it protects MONEY of all things. Perhaps we ought to start there instead of worrying about people who purposely choose passwords they know to be weak in authn systems that are capable of providing excellent security if only they wanted it.
Biting the hand that feeds IT
