Company X has username/password authentication to log into their corporate domain. After three successive incorrect login attempts the account is locked.
Company X maintains a web-based password station where users can go to unlock your own account. There are 5 questions which you must provide the correct response to in order to unlock your account.
Assuming 8 characters for each username/password/security question response (7 fields) and only only 26 letters and 10 numbers for the characters in each field, yields an approximate probability of 1/(36**56):
.0000000000000000000000000000000000000000000000
0000000000000000000000000000000000000001
that a random attacker could ever log into the system given unlimited successive failures. This calculation does not even include the randomness of the URL involved for the corporate domain or the password station.
Obviously, the geniuses who came up with this security model were of the political rather than the mathematical persuasion.
As a computer scientist I want to let everyone in the computing industry know that you have become a bunch of over-bearing jerks. You have used 'security' to turn yourselves into a digital gestapo.
No one has ever guessed ANY of my passwords. 2-factor authentication is just an annoying exercise of power. CAPTCHA using a test is dehumanizing.
How about firing all these 'experts' and hiring some people who understand what 'user-friendly' means?