Second Factor Authentication

A few days ago a friend of mine lost her Yahoo mailbox. She was fooled by a phishing page to give her password and soon the phisher got control of her mailbox, forcing her out by changing the password to his own. A standard recovery should be to reset the password and change it to a new one, forcing the phisher out. As it is practiced in such scenarios, an automated process tries to figure out if a person claiming the rights to the account is authentic, by asking predefined questions set up when the compromised account was created. And very often people just do not know the answers to their very own questions, making the recovery impossible, as they cannot prove their identity.

For some reason Web sites have been ignoring a perfect second factor authentication device - a personal mobile phone. Years ago phones have been tied to places. Today phones are as personal as toothbrushes. Everybody has their own. Phone numbers are even more personal. With mobile number portability being a standard service nowadays, you can change handsets, you can change service providers, and your number stays with you. Shouldn't that personal phone number provide a standard second factor authentication in various scenarios? Shouldn't Yahoo, when a password to the online account is being changed, just automatically call you asking to enter a pin they display on the change password page? This way they could even have the database of phone numbers current...

Banks have been using mobile phone numbers for a while now. Usually they send an SMS text message containing one time PIN to be entered in the online application to authorize money transfer or other operations. But banks are about the only institutions, that implemented second factor authentication with a mobile phone channel. Internet companies seem to ignore the existence of personal phones. But not all of them. Last week I was pleasantly surprised when Amazon AWS (the "cloud" service by Amazon) notified me they wanted my mobile number and automatically verified the number I entered by calling it and asking me to enter a pin on my phone's keypad.

Simple, easy and very secure. Much better than "what is your mother's maiden name" security question asked so often... "Why do you ask?" - I should ask... Everybody knows that... And it is in the directory... not proving my authenticity at all...