The botched security of banks: Schneier ignites a comment storm

Schneier has been too kind to the banks and their increasingly inane security procedures; he's mostly left them alone. Today he finally picks on a misguided credit union, though he should be chewing on Vanguard:

Schneier on Security: Bank Botches Two-Factor Authentication:

... Um, hello? Having a username and a password -- even if they're both secret -- does not count as two factors, two layers, or two of anything. You need to have two different authentication systems: a password and a biometric, a password and a token...

The interesting stuff, however, is in the comments. Schneier hit a nerve, and his audience responds. Some comments claim banks believe their regulators want "two factor authentication" and, in the interests of doing nothing of value, they interpret this as multiple passwords, intermittent security questions, anonymous user IDs, etc. They probably figure they can avert expensive mandates for physical tokens with a load of smoke and mirrors. Their probably right, but the increased complexity and illusory security measures will almost certainly increase consumer losses.

I hope Schneier starts piling on to the banks ...