Palin's Hacked Email

"Details of the break-in, if authentic, are consistent with speculation by computer security experts who said Yahoo's "forgot-my-password" service almost certainly was exploited.

The mechanism allows customers to retrieve or change their password if they can verify their identity by confirming personal information such as birthdate, zip code and the answer to a "secret question," such as a childhood pet's name or school mascot. Palin's hacker was challenged to guess where Alaska's governor met her husband, Todd. Palin herself had recounted in her speech at the Republican National Convention that the pair began dating two decades ago in high school in Wasilla, a town near Anchorage.

Politics and party lines aside, the intersection of what has been traditionally thought of as 'low risk' accounts (e.g. personal email), privacy and even security are about to all collide. Ashish Jain had a good post on this some time back. He discussed the inherent weakness with using facts (readily available, some even by search engines) for KBA rather than things like opinions or preferences for example.

Hacked personal email accounts can expose a number of other security weaknesses related to password-only security, especially since email accounts are often used as part of the password reset process.

It's inevitable (and healthy IMO) that these sorts of events drive the adoption of stronger forms of authentication over the Internet. Federation will only increase the need to protect the front-door better.