Except that the phone itself is increasingly the target. A compromised phone renders such "second-factor" idents moot.

I say "second-factor" in quotes because I don't really consider the code-to-the-phone a second factor. It's just another password. A proper second factor would be a token, a physical object or at least something that cannot be transmitted/intercepted.

I'm running into this problem when doing PCI audits. PCI demands two-factor for some things (internal, non-customers) but specifies the 'something you know, something you have, and something you are' approach. Since biometrics are out in most situations, that leaves passwords+tokens as a practical mandate under PCI. Code-to-the-phone schemes don't qualify.

I've seen PCI auditors accept code-to-the-phone as proper two-factor auth many times. Not that you aren't right...

Does the "TrustZone" of iPhones count?

How does this example protect against phishing? Since the user believes that he's actually authenticating with WellsFargo.com, he would confirm.

That's what U2F protects against.

It's also expensive...the vast majority of users aren't going to buy a U2F key and carry it around. They just won't. 2-way OOB authentication does protect against phishing when combined with other information, such as IP geolocation. For example, the message could say "if you are not in [city from which login is coming], do not reply to this message".

Simple OOB authentication is much better than nothing, and I agree with you that most users aren't going to buy an U2F key unless it's subsidized and/or required by a service (look at Github - they're running a $5 U2F YubiKey promotion right now).

But still, there's no way to make this really secure for the average user. IP geolocation is easily tricked - a scammer just needs a large enough botnet and he'll be able to pick an IP address in the same city for the majority of victims.

$18 for the cheapest one. I paid 12 pounds for the same key on Amazon.co.uk

Hm I think they changed the offer, because when I went through a week 1/2 ago I got two for $15 (including shipping). Ah yep...

>While supplies last, GitHub users can purchase special edition U2F Security Keys for $5 plus shipping and handling (regular price $18; 5,000 special edition keys available). After the special keys are gone, all GitHub users are eligible for a 20% discount on U2F-certified YubiKeys, for a limited time.

Everyone will soon be using hardware key signing devices for identification and authorization as these keys are gonna basically be free within a couple of years. We're also moving towards self-authentication with public key crypto.