Schneier sums up by saying something like ".. 2 factor authentication solves the problem of authentication, and hence mitigates some security concerns. But it does not solve non- authentication related vulnerabilities, which unfortunately are the more common. So 2-factor authentication does not infact help much".
Let me present an alternative perspective: 2 factor authentication solves the problem of authentication data compromise at the service-provider-end.
Let's say that a banks authentication data store has been compromised. Take the case in which the bank does not have 2 factor authentication; there is nothing preventing an attacker from using the authentication data.
Now, take the case where the bank does have 2 factor authentication. Then, even if the authentication data (user names, passwords, PINs..) are compromised the attacker is still in the dark, since part of the key is still with the user(i.e. the token which generates a one time password, or a digital certificate located in a smart card). I am assuming that the data store for any secret keys that the 2nd factor uses, is in a separate data store at the bank-end.
So 2 factor authentication guards against the banks authentication data being compromised. It effectively closes one door, in terms of the banks liability.
In contrast to this, authentication data compromise at the user end through, as schneier points out, Man in the Middle attacks and Trojans as well as just nicking the piece of paper your username and password is written on along with the 2-factor authentication token, is not completely solved at the user end. Mitigated, because you have to steal a token or log another key sequence - but not eliminated.
The neat thing is that the bank is effectively securing their end of the stable by introducing a gadget to be used by the customer. I don't know whether to feel awed or used... 12:05 AM
said...
*sigh*
It is all about reducing their liability. Consider: fraud has a knock -on effect for the bank because every claim will inevitably lead to an increase in the premiums.
By requiring yet another token - they may reduce tangible fraud (not likely), but they will reduce their premiums. It's the same as being able to get a lower insurance quote for your house because you have a better burglar alarm installed. The tangible savings on fraud protection premiums are far more than the possible savings via actually reducing the amount of fraud.
Schneier's latest might also interest you.