I was asked recently to look at the security of the PhoneFactor 2-factor authentication solution. If you don't know what it is, then you can find out more here , but essentially you enter your username and password, then they phone you on your pre -defined number and press the # key to validate the authentication. The problem with just pressing the # key is obvious, but they allow you to configure entering a PIN number rather than just pressing the # key. To my mind, there should be no other option than having to type in the PIN number. However, this isn't necessarily a brilliant idea. As I've said before in this blog , a lot of phones log the digits dialled, in which case that PIN isn't secure. I was also told that the PSTN and GSM networks are secure, so this is a good solution. I'm not sure I agree that PSTN and GSM networks have good security. Analogue PSTN is easy to listen in to with proximity and GSM can theoretically be cracked, and probably will ...