I've been thinking about sign-on systems for some time. My approach is to reuse existing systems like email for authentification purposes. This is already widely used to confirm signups. You all know those confirmation mails containing a special link to click to confirm that you signed up. Given that you have an email application available, it's very easy to provide single-sign on. Of course phishing is also an issue here, but could be solved for example using PGP signed messages (requires support in the Email application).
When you want to design a sing-on system, there are many things to consider. For example, whether the user uses a machine that belongs to him or herself. If for example I use my own computer to log-in to a page, I could use client-certificates for SSL authentification. I think most browsers support this. But no user knows about this, and I think there are no web-applications that make use of it. But it would be the most secure and best solution, as you'd see the certificates of the server and have to trust them and it would automatically imply that all traffic is encrypted.
But what if you want to sign-in from an untrusted computer, e.g. from an internet cafe? At first, you will not have your certificate with you, second, the computer could be compromised (key-logger etc.). So you'd not want to type in a password anyway, except if that password will ever be used once, like those "passwords" you know from the TAN list for online-banking. One time passwords can be for example used to login to a FreeBSD system.
So if you consider logging in from an untrusted computer, a sign-in system should also give the ability to specify a one-time password.
In short, I'd suggest:
- For your home computer: transparent authentification using a client-side certificate + client-side master keyword
- Trusted computer with Email access: Email-based authentification
- Untrusted computers: One time passwords