While securing computer systems, quite often the usage of passwords is the weakest point of the security: it is hard to choose (and remember) a password that is not easy to guess. In all places where passwords are used, you can (at least theoretically) also use cryptographic keys. Cryptographic keys are, compared to passwords, much and much more secure: they are almost impossible to guess. They only have a big disadvantage: they are stored on a computer. If that computer falls in the wrong hands, the keys are compromised too. Of course, you can protect your cryptographic key with a password, but then we are back at the problem we started with.
Fortunately security engineers can pull one more trick out of their sleeves: smart cards. And I must say, I love them. By putting the cryptographic keys on a smart card, you can keep them separated from the computers you use them on. With more advanced smart cards the keys never have to leave the card: the card does the calculations needed to prove what needs to be proven and passes the results back to the computer. Such cards are also extremely hardened against attempts to read out the keys by examining the chip on it. And finally: these cards need a password to unlock, but after three failed passwords the card locks up. So an attacker only has three attempts to guess the password after that there is at least a big laboratory and a lot of experimenting needed to let the card reveal its secrets.
As I said, I love smart cards, I use them on a daily basis. I use them to unlock the encrypted data on my computer, I use them to log in on other computers and I use them to secure and authenticate my e-mail. But recently my faith in smart cards got some damage: while making the website thealiceandbobsuicide.org I realized smart cards add an other layer of abstraction to the picture. A password (if not sniffed or stolen by a key logger) indicates the right human is interacting in the system. With a smart card the right human interacts with the smart card and the smart card interacts with the other systems. Now we must not only trust in the computer, but also in the smart card. And so it becomes more and more impossible to verify what all these components are doing and whether they can be trusted. The technological advancedness of the smart cards are also their Achilles' heel: adding more technology results in less trust, not more.
So where to go from here? I don't know. But if we ever want to trust our computers, we need to make it more easy to audit them and not add more complexity to them.