I was simply trying to clarify the challenge-response mechanism for the parent poster, not suggesting you use keychain dongles everywhere.
Regardless, the idea that the plaintext password doesn't have to leave the device (whether the device is a dongle, your phone, or the keychain application) is a valuable consequence of the challenge-response mechanism, and I wish support for it were more widespread.
The reason for why it isn't widespread is because you also have to spread it across all your devices. Which is neither secure nor usable enough for the mainstream today.
Unless that is solved it isn't a solution worth considering.
Not worth considering as a 'fits all' solution, yes, but it still is worth considering for specialized cases; in general, those cases where the added inconenience is worth the added security. For example, some banks use effectively this for logging in to your online account. And that can be made to work with any device with a display and a keyboard:
- computer shows challenge#
- user types challenge# on bank supplied device
- bank supplied device shows response
- user types response on computer
How about borrowing a friends computer? If you suggest that I'd bring a USB-dongle for that we live in different universes.