Factor and a Half Authentication 

Users choose poor passwords. That's not really surprising. Two-factor authentication (or, at least, certificate-based auth or any scheme that does not rely or user-chosen secrets) goes a long way towards solving the problem of interactive password guessing, or offline brute-force attacks. But the usability of passwords is quite high, and the uptake for two-factor authentication systems is low. Is there a system that can combine the usability of passwords, while providing some better security against password brute-force attacks?

Typically, this is done through the server storing not the password, or a hash of the password, but storing a copy of the password protected with multiple hashes, very often using PBKDF2. But there are limits to the security that such a scheme can provide (regardless of the underlying hash) since the more iterations a password is protected with, the worse the login-time performance is. Would a user tolerate a 5-second delay to login? 10 seconds? A minute? Furthermore, memory-hard schemes like scrypt are limited by available server memory.

"Factor-and-a-half" authentication is a scheme that presents a very different set of tradeoffs as compared to single-factor or traditional multi-factor authentication. It provides much stronger password security than single factor authentication, including novel properties that make password guessing (both online and offline) much more difficult, without the overhead of multi-factor authentication. By combining client-side hashing, proof-of-possession, and proof-of-work, online and offline brute force attacks can be made arbitrarily difficult provided the user is willing to pay a one-time setup cost.

The attached paper describes the protocol in more detail.