My introduction to two-factor authentication (aka “two-step” authentication), where you needed to enter in a unique code on top of your normal username/password, was nearly 10 years ago when I worked at a large publishing firm. Whenever I accessed the VPN when I was outside of the physical office, or when I accessed some critical internal system, I would get prompted for a code. We had these key “FOBs” we carried around which generated a unique code, and they were issued from RSA and looked something like this:
( Side note, I never knew why we called them a “FOB’ – but wikipedia provides a solid explanation: “The word fob may be linked to the low German dialect for the word Fuppe, meaning “pocket”, however, the real origin of the word is unknown.” )
The FOBs worked quite well, had a long battery life, and were reliable. I kept waiting for this technology to trickle down into consumer web application, online banking sites, and the like — but they never did. With the terrible password habbits that most people kept, it just seemed like a natural thing that these FOBs would one day make their way into our hands for non-work use. I just assumed that the price would dip to a point that banks would just send consumers these devices for free.
So clearly that prediction didn’t happen, but fast forward 10 years, and I use my mobile phone/SMS for two-factor authentication without the need for the extra FOB hardware. Services like Paypal (SMS option), and now Google Apps (SMS and mobile apps) offer two-factor authentication by sending an SMS text with a code or running a native mobile app that generates the unique code. Brilliant !
Overall, I think this is great, and a good trend, and that we’ll see this level of security baked into more and more web apps and services.
Raanan Bar-Cohen 
Hey Raanan – banks in the UK and NZ have been doing this for quite a long time- possibly not 10 years but definitely my bank used this system when I lived in England six years ago.
@jamie — cool. I guess that’s one more thing here in the U.S. that we are way behind on 🙂
One of the cellular companies in Israel have been using SMS verification on their web site for a few years now.
The main difference between the “FOB” and SMS is that someone at the organization gave it to you while he identified you personally. This is not the case with SMS.
My bank started issuing what looked like calculators about 2 years ago, what they actually are is a random check number generator which authenticates with any online transfer transaction. The website asks for the code, you have to put your chip & pin card into the ‘calculator’ and type in the code given, it then generates an authority code which you then type in.
This is all after getting access to the site in the first place with account details and a set of security questions and a PIN which is different from the PIN for the card.
It was a pain in the neck at first as you had to carry the device with you any time you wanted to carry out money transfers but now I’m really into it. (BTW the bank is the Smile internet bank in UK, part of the Cooperative bank group if you want to try it out!!).
Doesn’t stop the wife buying shoes though…..!!