Password hashing best practice (TL;DR use bcrypt) has been a bit in the spotlight recently.
There has been a natural progression in the blogosphere as it tracks LinkedIn’s shame. Yes you should use a password hash function with integrated salting e.g. bcrypt or scrypt. Yes its scary reading developers comment as they fuddle through trying to invent their own solution in the comments to stories.
And that blogosphere progression has now reached 2-factor authentication. This just slipped in from an expert (who downplayed salt; yes, stretching is critical, but you would be crazy to stretch without salting too):
But the real answer is things like two-factor authentication with smart phones. Two factor authentication seems like the answer to me. I think ten years from now this is going to be a common approach. [Thomas H. Ptacek]
Its a step in the right direction of course. But a chain is as weak as the weakest link and phone companies are very weak links indeed: