I use PhoneFactor for Logmein and it's also available for OWA. It works like a charm and haven't had any issues. I wish people would get over having another physical device to carry.

peace

Our company uses phone factor for logmein and it works pretty good since majority of our workforce is mobile.

I know this a bit of a PhoneFactor love fest, but the solution does have some major benefits over over two-factor authentication solutions.

Over sms-passcodes 1) PhoneFactor does not require a mobile device, it can be used on a landline 2) PhoneFactor is easier to intergrate with multiple secure enterprise solutions. 3) People can press a button to authenticate far easier than having to be skilled in opening and reading a text message (think older generations)

Over security tokens 1) People place a lot more primary value in their phones than a security token. Less lost IT equipment. Less hassle for IT departments. 2) Easier to install, scale and integrate.

Also you really get a wow-factor as well with this solution. Is that a advantage, maybe not in pure business terms. But with ease of use, peace of mind and value this software provides it's just the icing on the cake.

Okay, the other cool thing about using a phone is that it is potentially ubiquitous, making virtually any potential user a candidate for 2-factor authentication. Suddenly consumer web-based apps can require 2-factor authentication because there is what appears to be an infinitely scalable solution.

Yes, web-based can be some much more secure using a solution like this. What is more, I think people, will more and more access there applications and data online.

Which really means all your stuff will be online and accessible from any computer. So really cool, I can be anywhere and boot up my computer from any terminal and get all my stuff, GREAT.

With that power comes great risk. You don't want other people to get it. Like having the whole world on your doorstep with a wonky lock.

PhoneFactor will make that door like fortress. Meaning you sleep better at night.

Scalability. Anything with a token isn't really scalable. You can provide them for your corporate travel and work-at-home corps. But you can't provide them for everybody. You'd go crazy. A secure web-based solution, for example. What if financial services such as PayPal required 2-factor someday? No way you'd distribute tokens. But, you might require (or make available), a solution like PhoneFactor, because management of the solution could scale, perhaps infinitely.

I just thought of a potential flaw with PhoneFactor. What if someone changes your phone number to theirs? How secure is the facility to change the phone number?

There are some options. Interestingly, there is nothing special and new technically about them. The main advancement is the ubiquity of wireless phones. When you think about it, It wouldn' have been necessary to 2-factor Authentication with desktop computing. With people on the go, it would be necessary to assume there is a networked device in the hands of every user. This hasn't been true until this very moment in history.