Two-factor authentication gone wrong

My bank has gotten two-factor authentication badly wrong: In a move to have “what you know” and “what you get”, they’ve introduced “TAN cards”. These cards have a login and a 12 letter code printed on them. For each login, you need to type in three randomly choosen letters. In addition to that, you have to enter a password; this is also used to confirm every single transaction.Leaving the fact aside that nothing in these “TAN” cards is transaction-specific, the “system” is topped by demanding that the password is at least 10 characters long, and high-entropy — and that is even enforced.The result? Pretty much nobody can memorize a high-entropy password with 10 letters reliably. Hence, the system degenerates into two times “what you have.”Remember: If you want to do “what you know” style authentication, make the shared secret something that people *can* know.