I've had an ING Direct account for quite a number of years now and have always been re-assured by how seriously they balance security and usability.  To access my account, I need my account number, I need to recognize a pre-selected image and phrase, and I need to enter my PIN.  All these lead to a decreased likelihood of my entering this information in a spoofed site.

I think they've really mastered the art of web based authentication while keeping usability at the fore.  From a secured computer, none of the above steps are onerous.

The truth is, and we all know it, once security becomes too complicated, we find a way to bypass it.  It makes me wonder if the fingerprint scan, which our exec loves on his ThinkPad, is really a good balance. 

Recently, ING unveiled an anti-phising tool.  I have mixed feelings about a bank distributing software but appreciate their intention in doing so. 

Looking at some banking sites really helps me think how I would like web based authentication to happen, particularly for secured or sensitive applications.