This is in reply to this, but I felt it would disturbing and going off-topic from what was being discussed there:
I believe this is wrong in concept: Unfortunately, we often find that passwords are the weakest link in the security chain.
the weakest link isn't the password, but commonly the ways you've to recover it.
For hotmail for an instance, a limited choice of questions, if given the right answer you would probably be easily hacked by someone who knows you. Actually it happened to me, with an ex-girlfriend opening my old mail unknowing the password, but, obviously, my mother's name.
Also these options are weaker to dictionary attacks, "where you born", "the name of your street", "your dog's name", "mother/father name", "car maker"... almost all rounds up to be common names. So, even if your password is aAjjsEW$$$%%@@hsu89y3 or even more complex and your security question is "What's your father name?" -> A: Bob you aren't safer than if the password itself would be Bob
"Two factor" also has a weak spot; what if you lose your cellphone? Or by some reason your operator cancels/changes your number?