For essentially the entire Internet era, the way you've validated your identity to a website has been to adopt a unique UserID (often your eddress) and a cryptic password supposedly known only to you. The standard advice for a password is that it should be easy to remember but hard to guess.
Well, where money is at stake (like for the half of the Internet not devoted to cats), there are beaucoup motivations for cracking this relatively unsophisticated 2-factor authentication, and recent massive ripoffs of valid user identities have hit several large financial institutions, almost all of which naively believed they had good security. Wrong!
So the State of New York, where a huge number of big-buck corporations are headquartered, is giving serious thot to requiring multi-factor authentication, at least for employees and contractors. But we can see the handwriting on the wall. Sooner or later, simple name and password won't cut it for us end users, either.
Fortunately, Apple seems to be more on top of this than most computer vendors, tho some of the solutions they're working on conjure up grisly images from SF and spy movies of bad guys holding up severed fingers and gouged-out eyeballs in front of security cameras to validate the identity of some (former) poor schmuck who had actual, legitimate authorization to get in.