>There is a pretty clear path off of it, via physical token authenticated password managers. The only thing missing is a standardized and well popularized protocol for changing passwords.
I don't think it's that simple. After all, the basic tech to handle this stuff has been around for literally decades at this point. Even in terms of open source, projects like OpenSC date back a decade and a half (2002 or before). The problem has always been in terms of bringing the elements together into a standardized system that has a least a few major implementations with good UI, and gaining critical mass to kick start a virtuous circle of adoption, uptake, demand, and more adoption. It's not a technology problem. I've seen enough hopes raised followed by false starts or even flat out regression that I think it'll be a hard slog, though as the problem is only getting worse I'm hopeful we'll get there eventually. And even more, that once there is at least one good mass example showing people how things could be better there will be mass demand and we'll see a nice S-curve of adoption rather then linear.
I don't think it's that simple. After all, the basic tech to handle this stuff has been around for literally decades at this point. Even in terms of open source, projects like OpenSC date back a decade and a half (2002 or before). The problem has always been in terms of bringing the elements together into a standardized system that has a least a few major implementations with good UI, and gaining critical mass to kick start a virtuous circle of adoption, uptake, demand, and more adoption. It's not a technology problem. I've seen enough hopes raised followed by false starts or even flat out regression that I think it'll be a hard slog, though as the problem is only getting worse I'm hopeful we'll get there eventually. And even more, that once there is at least one good mass example showing people how things could be better there will be mass demand and we'll see a nice S-curve of adoption rather then linear.