Well, as first pointers I would list Ericsson (they started a labs project for GBA) and NSN but there might be more. Forgive me, but I am no analyst 
Regards,
Peter
Robert: to your point about PINs vs. images, you’re right that having a user enter a PIN is also a type of “shared secret.” However the key difference is that a PIN is static and is therefore susceptible to keylogging malware. So, for example, if the business requires the user to entera PIN in order to access the soft token or in order to open the SMS message containing the OTP, that PIN can be captured using keyloggers planted on the phone and will no longer provide protection. In contrast, the image-based approach proposed by Confident Technologies is dynamic and changes every time.The pictures are different every time, in a different location on the grid every time, and the pieces of authentication code associated with each picture are randomly paired, to form a unique OTP each time. By being dynamic and creating an OTP each time, it is not susceptible to keyloggers the way a static PIN is.
Unfortunately, the sad truth is that many two-factor authentication solutions don’t even require a PIN from the user. My bank (and many other businesses) simply sends a text message to my phone with an authentication code clearly displayed in the text. I use an iPhone, which displays the text message OTP right on the phone’s screen – visible for anyone to see -- even though my phone is password protected. 
The idea of using a graphical or image-based approach to authentication has definitely not been abandoned in the academic research community. Numerous academic studies on the topic have been published within the last few years(2009 – 2011) in IEEE, the Association for Computing Machinery (ACM), the International Journal of Computer Science and Information Security, just toname a few. Recent research and proposed approaches have been published by Microsoft, Carnegie Mellon, and many different academic groups at universities within the last couple years… precisely because a visual approach to authentication has been shown to so usable. I’d say the academic research community are actually the ones keeping these idea alive as a viable approach, and it’s the industry that has not yet caught on. 
This is all 20-year old stuff (tokens, callback, SMS). Which we've implemented out of necessity for our customers, but doesn't move the needle in terms of security.
Where does a system like our host-proof Duo Push smartphone-based authentication fit in? Intuit calls us "context-aware authentication". Bruce Schneier calls it "transaction authentication". Our users call it "two-factor that doesn't suck" - high praise in this industry segment!
Bottom line - no two-factor auth system that completely fails when the user's endpoint is infected with malware (a safe assumption, as we've seen time and again) can be called "strong".
Under the category of out-of-band, dynamic secret 2FA, I would like to propose the following type of image-based approach be included:
As a second layer of authentication, it requires the user to apply a shared secret on the second factor device itself (the user must identify which pictures match their secret categories by tapping the appropriate pictures on the smartphone display). Therefore, it is a multi-layered, multifactor solution (requiring something the user knows on something the user has). As the user identifies the correct pictures on the mobile device, the mobile application communicates directly back to the business’ servers, thus it remains completely out-of-band from the web session.
Because the user must have knowledge of their secret categories, it is more secure than sending an authentication code in plain text as an SMS message (which someone else could read and use to fraudulently authenticationif they stole your phone or if they use a Zeus-in-the-mobile attack to intercept authentication text messages). Even if someone else has possession of your phone (through loss or theft) or if they were using Zeus malware to intercept communication and steal data, they would not be able to complete the authentication because they would see the image grid but they would not know which images to select. The images are different every time and generate a one-time authentication code (OTP) but the user only has to remember their few secret categories and look for the pictures that match their categories.
Here's an example on an iPhone:
As a side note, are you considering covering how one would provide strong, multifactor authentication to a user who is browsing to the website from their mobile phone? In this scenario, common two-factor solutions (such as sending an OTP to the phone by SMS) would no longer be considered an out-of-band, two-factor approach. As people increasingly use their smartphones as their primary devices for browsing the web, websites will need to have a mutilayered, multifactor solution to provide strong security.
