1) Why are we still using passwords to authenticate people online? And by "we", I mean most big public websites. Google, Facebook, Twitter, Gawker. It seems like some sort of key-based, public/private algorithm would be better than the current mess. Is this correct or am I forgetting something?

Public key crypto still requires a private key - which is basically a password that is too long and obscure to be remembered by a human. And therefore has to be stored in a text file on your computer (a security risk in itself; I'd presume most people don't currently do this with their passwords). And good luck logging in to Facebook from a friend's computer.

The password is the simplest and most straightforward method of authenticating a user. Yes, you could go with a physical key (Near Field, USB, card, etc), thumbprint, eye-scan, or voice but all of those have their failings as well. How many stations have thumbprint scanners? My laptop does but I'm the only one I know and it is more a PITA. How many have cameras for facial recognition or eye scanning? Not mine. How would you access the site when you don't have your physical key on you? Couldn't your voice be just as easily hacked?

There is no better security for common use than the password... and it is just as effective as anything else with the added benefit of being universally applied if it is a decent one.

I'm not a security expert at all, but what's the point of a public key supposed to be if all you want to do is authenticate yourself?

Why would you want to use (e.g.) an RSA key for authentication, forcing you to carry around a data fob or something from computer to computer, instead of using a password or passphrase that you can actually remember? Ordinary users would flip out if you asked them to do that. If you really want a super strong key, you can simply use passphrases that don't suck, or you can always use a password manager like KeePass that encrypts your weak passphrases with a strong master key.

What's happening in the field of biometrics? Is it ever likely that I'll be asked to speak my name out loud and that'll work as reliably (from the user's perspective) as a password?

I've always thought, perhaps irrationally, that the problem with biometrics is false positives: i.e. letting in someone who isn't you. I misttype my passwords all the time, and I think users would be OK with a "Sorry, can you say that again?"-type message on occasion.

Basically, am I in "where's my flying car" territory?

One way would be the same thing you do with "forgot my password" links. You enter your email address, a link with a random activation key gets mailed to you, click on the link in your email client and get logged back in. The activation key would have a limited valid span, say 30 mins, so even if anyone got hold of it it would be useless.

The disadvantages are a) your email can be hacked and b) it's a bit inconvenient for the user. Also you'd need SSL to protect the key, which would be in the URL.

There is stuff like RSA secure id. they ask for a password, but then also for authentication number... where you have a device that shows you the authentication number. it changes the number every 60 seconds.

http://www.rsa.com/node.aspx?id=1156

I'm not sure this would ever be practical for consumers, but it's a clever idea. i've used it to get on vpns at big companies.

The problem with passwords is that ideally they are long random strings and different for every site. But humans are not good at remembering such passwords, so they tend pick shorter passwords and to re-use them on lots of sites.

But computers are good at remembering lots of long random strings, so why have we not developed a standard for site log-ons which the browser chooses the passwords and stores it securely for the user?

I know this isn't exactly your point... but I think we're finally seeing passwords go away... and using facebook, etc. as universal logins.