While registering just now for Amazon Web Services (AWS), we discovered an intriguing example of “out of band” security verification (where the “band” is the web):
- Provide a telephone number
- AWS provides a PIN on the website
- Receive the call (within 5 seconds!)
- Enter the PIN using the telephone keypad
- Verification appears on the website 5 seconds later
This (almost) ensures that it’s a human interacting with the site, rather than a machine. CAPTCHA is broken, so relying on a working telephone number with voice prompts makes it much harder for spam-bots/machines to interact with the system like this.
In theory, this is analgous to other multi-band techniques, such as receiving a credit card PIN in the post, but the slickness, speed and effectiveness of the AWS approach is impressive.
More out-of-band verification now with Google Apps – using a one-time code sent to a mobile phone:
http://www.computing.co.uk/computing/news/2270140/two-step-authentication-added