Mobile devices also come with rich location information and if, suddenly, a user from Jersey City N.J. is attempting to log in from Saigon, that's a red flag.

Add it up and will devices themselves begin to take over more of the authentication burden from consumers? Experts surveyed by Credit Union Times said that day may be coming sooner than you think and that could be very good news for beleaguered security managers.

“For most things, device ID is much better than user ID. Devices are really good at security, People are really bad at it,” said Andy Tarbox, an executive with Wave Systems, a Lee, Mass., company that is building out a networking model based on “trusted computers.” The idea: it's possible to know enough about a computer to know it is a reliable friend. “There is a real movement towards security based on strong device identification,” said Tarbox.

Not so fast, say others.

“There's a great interest in using mobile devices, but it won't be widely adopted before most consumers have these devices,” said John Pironti, president at consulting firm IP Architects and an ISACA advisor. “There's the lowest common denominator problem,” said Pironti, by which he meant a financial institution is unlikely to require a customer or member to have a smartphone and those who don't need an access route in – which means mobile cannot by itself secure the perimeter.

Pironti also pointed to the fact that sometimes, in some places, there just is not access to cellular devices – on airplanes, for instance, and also in parts of rural America. There needs to be more ubiquity of access and ownership, he suggested, until mobile devices become the centerpiece in secure logins.

“Probably this eventually will go places,” said Pironti, “but I believe device authentication will be one of several options.”

Pironti's cautions may be on the money. Even so, many pioneers are taking steps to hurry the arrival of devices into the center stage of authentication. At iovation, for instance, Chief Technology Officer Scott Waddell explained that the company's business revolves around building reputation histories for particular devices – and that those reputations can help financial institutions decide to grant or deny access.

Say a legitimate user name/password is used – but the access is coming from Lagos, Nigeria using a device that has a reputation of involvement in scams and con games. That might be an easy decision, but it proves a point: knowing more about the devices is a step towards more- secure financial transactions.

Waddell himself cautioned however that useful as knowledge of a device can be, “we also know that devices can be tampered with.”

The other hold-up delaying adoption by financial institutions, according to Rick Doten, chief information security officer at Bethesda, Md.-based DMI · Mobile Enterprise Solutions, is “the lack of regulatory requirements involving devices.”

He explained, that in his view, most financial institutions “want to spend as little money as possible on security,” so they do what the regulations demand, nothing extra.

But, he optimistically added, “This is changing. You can see it.”

Why? The plain problem, said multiple experts, is how broken the user name/password security system clearly is.

That's why more and more now say devices as a factor in multi-factor authentication is gaining steam, mainly because something new is needed and this just may be it.