Preventing mass-harvesting of credentials
Two-factor authentication is good for lots of things, and in particular, (correctly-implemented) two-factor is good for preventing mass credentials harvesting.
I was reading ArsTechnica this morning and came across this article about the mass theft of 79000 logins from a Finnish forum. The attack was basically a brute-force dictionary-style attack against the (obviously) weak passwords people had used.
PhoneFactor can effectively guard against this attack. As soon as the bad guys tried logging in as one of the cracked users, the user would get a phone call she wasn’t expecting, and therefore would know that her password had been compromised. PhoneFactor is one of the only two-factor systems that can provide this real-time notification of evildoing, giving the victim the opportunity, during the phone call itself, of locking her account until she can take action to change the password.
Oftentimes, security pros think about authentication issues in terms of a single user – "What is the best way to prevent a bad guy from targeting user X and getting her credentials?" – but the problem of mass-harvesting credentials can be just as important.
Note that this only works if the second factor behaves like something you have.
-Steve
You know, one really cool thing would be to allow the victim to alert the administrator of the issue, who would then be able to take action almost instantly (a pretty hardcore IDS, in my opinion).