Bruce is correct that an attacker who is currently in control of your computer can act as you despite two-factor authentication, and only good PKI can fix that.
It is, however, disingenuous to put two-factor authentication in the same category as what the TSA does. Consider these two attacks:
1. attacker has control of your computer right now 2. attacker steals your password, but does not currently have control of your computer
Two-factor authentication creates a distinction between these two cases: in case 1, the attacker can still do whatever they like, but in case 2 (which is extremely common due to keylogging and the like), they are helpless. If the attacker wants to use my account to send spam or to reset my bank account password, they only have the narrow window when I'm actually on the computer in which to do it; and since I'm on the computer specifically to pay attention to that account, they will have to go to a lot of extra trouble to keep me from noticing that activity.
Google's two-factor authentication meant I was, if not comfortable with, at least not horrified by the prospect of using internet cafes when my wife and I went on our honeymoon last year, which in turn meant I didn't need to carry an extra 5 pounds of laptop on a backpacking trip if I wanted to be able to keep up with business back home.
(no subject)
It is, however, disingenuous to put two-factor authentication in the same category as what the TSA does. Consider these two attacks:
1. attacker has control of your computer right now
2. attacker steals your password, but does not currently have control of your computer
Two-factor authentication creates a distinction between these two cases: in case 1, the attacker can still do whatever they like, but in case 2 (which is extremely common due to keylogging and the like), they are helpless. If the attacker wants to use my account to send spam or to reset my bank account password, they only have the narrow window when I'm actually on the computer in which to do it; and since I'm on the computer specifically to pay attention to that account, they will have to go to a lot of extra trouble to keep me from noticing that activity.
Google's two-factor authentication meant I was, if not comfortable with, at least not horrified by the prospect of using internet cafes when my wife and I went on our honeymoon last year, which in turn meant I didn't need to carry an extra 5 pounds of laptop on a backpacking trip if I wanted to be able to keep up with business back home.