There’s a website we all know that offers a "Security Key" to provided an added layer of security, beyond the email address and password. While this is great in principle, it is undermined by giving users a way around it if they "lose" their Key. PhoneFactor, on the other hand, is a lot harder to lose and abuse.
The Security Key I’m thinking of displays a 6-digit number that changes every 30 seconds or so. The website at which you type the number code knows what number your key is supposed to be showing, so it knows when you type in the right number. To the rest of us, the numbers appear to be totally random and the next number can’t be figured out based on the numbers that have been shown so far. That’s a good layer of security because if you type in the right number, it’s pretty clear you must be holding the Security Key. A hacker around the world might fool someone into giving their email address and password (phishing) but if the website then demands a 6-digit code, they don’t have it.
If it ended there, I would be a big fan of the Security Key and I’d buy one. But it doesn’t end there. The website has to handle the predictable case that someone will lose their Security Key. The website I’m thinking of has the answer in their FAQ. If you lose your Key, you can still log in, they’ll just ask some security questions. What kind of question would that be? Typically, they are "What’s your mother’s maiden name?" or "What’s the last 4 digits of your credit card?".
Now those are answers that are in reach of hackers half-way around the world! My mother’s maiden name is no secret. A hacker that can trick someone into giving their password on a phishing site might also trick them into entering the credit card they use. The difficulty of getting these answers is much much less than the difficulty of guessing a continually changing 6-digit number. So in the end, the layer of protection added by the Security Key is no better than the layer of protection added by typing in answers to "security questions".
Take a look at PhoneFactor now.
Step 1: Enter your usual username and password.
Step 2: Instantly, you receive a phone call. Answer and press #.
A hacker around the world can’t press # on your phone, so they can’t use your account. It’s a lot harder to lose your telephone than a Security Key and if you do, you’ve got a lot more motivation to replace it anyway and not just switch to "security questions". So there are three real benefits to chosing PhoneFactor:
1) You don’t have to buy a Security Key,
2) You don’t have to carry around a Security Key, and
3) The website doesn’t need a weaker substitute that neuters the whole system.