This is a form of two-factor authentication because it uses two factors: something you have (the card) and something you know (user ID and password). These cards can contain any number of rows and columns, or cells as long as they fit comfortably on it. The general rule is the more cells provided, the more potential combinations, and therefore the more secure the card is.
Bingo cards are attractive because they are cheap, easy to produce and easy to replace. Additionally, unlike smart cards or tokens they do not require a chip or internal mechanism to function. However, these cards do have a drawback. After some time, depending on the number of cells, the combinations can become stale and, just like an old or weak password, eventually can be cracked. A patient attacker could use keystroke logging techniques to sniff out the user's creditionals to figure out the patterns. Once the patterns are pieced together, the combinations will be revealed.
While bingo cards haven't been widely adopted, they are interesting and easy-to-implement two-factor authentication tools. To learn more about them, you can research two products that are currently on the market, Entrust's IdentityGuard and TriCipher's Armored Credential System.
This was first published in February 2006