How to distinguish on-line dictionary attacks and password mis-typing in two-factor authentication.