> Argon2 is a key derivation function, the winner of the password hashing competition and should be used for new projects. In case it isn't available, use Scrypt. Any other KDF is nonoptimal.<p>Probably not worth going for the marginally-better-but-new-and-fancy KDF if you don't have a reliable implementation available for your language.<p>Pretty much agree with everything else otherwise
> Enforce multi-factor authentication instead<p>But in a way that your user won't lose everything if his usb-gadget fails.<p>Also not in a way that it gets stronger than password and can be used alone to recover a password (sms, for example)<p>Also not in a way that is written down in a paper and typed later.<p>Also not in a way that prevents your user from using your software.