Reading this comment, I thought Yubikeys, which aren't /expensive/, but aren't cheap either. I was pleased to see they have a key targeted at this specific use case now - the Security Key Series [0]. At $25, that is not too bad a price, and something I'd buy for the members of my family without much hesitation.
The hangup with this, which I think the librarian in question will feel, is what happens when someone loses their key? How can I set up a trust relationship that my local librarian can reset my grandma's Yubikey, but a bad actor can't? And, $25 isn't so bad once, but if we have to replace it every month, that's less fun. Maybe that's just agreeing with you and lamenting the state of things, but maybe someone will read this and think $25 isn't so bad and write a grant to pilot this program.
I wouldn't feel confident assuming that the homeless can feel secure in retaining their yubikeys from theft. The optimal solution would probably be some sort of multisig solution where a trusted party like a librarian and maybe a person's parole/benefits/welfare/etc officer hold on to keys.
I believe you can set up multiple keys. In this manner, a librarian could keep a "master key."
This compromises security somewhat, since the library houses one of the second factors, but IMO it's preferable to total account lockout (and still superior to SMS verification).
if you’re using someone else’s computer, or a computer at a library, you have no security. TLS isn’t enough to be certain they haven’t intercepted the connection, installed their own root certs, or whatever else. I can’t think of any method to securely use someone else’s computer and connection unless you bring a live boot Linux USB or something, which I doubt applies to the intended audience here.
Sure, having a physical key makes it easy for a non-technical librarian to steal someone’s identity, but perhaps having some kind of yubikey safe deposit box would be an appropriate compromise.
Also consider that the yubikey is only the 2nd factor, the user still needs to enter the password. Obviously password resets are possible but might be a bit more of tip off to the user.
The hangup with this, which I think the librarian in question will feel, is what happens when someone loses their key? How can I set up a trust relationship that my local librarian can reset my grandma's Yubikey, but a bad actor can't? And, $25 isn't so bad once, but if we have to replace it every month, that's less fun. Maybe that's just agreeing with you and lamenting the state of things, but maybe someone will read this and think $25 isn't so bad and write a grant to pilot this program.
0. https://www.yubico.com/store/#for-individuals