Except that the phone itself is increasingly the target. A compromised phone renders such "second-factor" idents moot.
I say "second-factor" in quotes because I don't really consider the code-to-the-phone a second factor. It's just another password. A proper second factor would be a token, a physical object or at least something that cannot be transmitted/intercepted.
I'm running into this problem when doing PCI audits. PCI demands two-factor for some things (internal, non-customers) but specifies the 'something you know, something you have, and something you are' approach. Since biometrics are out in most situations, that leaves passwords+tokens as a practical mandate under PCI. Code-to-the-phone schemes don't qualify.
I say "second-factor" in quotes because I don't really consider the code-to-the-phone a second factor. It's just another password. A proper second factor would be a token, a physical object or at least something that cannot be transmitted/intercepted.
I'm running into this problem when doing PCI audits. PCI demands two-factor for some things (internal, non-customers) but specifies the 'something you know, something you have, and something you are' approach. Since biometrics are out in most situations, that leaves passwords+tokens as a practical mandate under PCI. Code-to-the-phone schemes don't qualify.