So, I assume many of you are familiar with two-factor authentication. I'm talking about the kind that, alongside your username and password, you either get a text message with a code sent to your phone or you enter a constantly changing code from an authenticator app like Google Authenticator.
But what if we get rid of the password? It's not like it was doing anything anyway. Even if you lose your phone you can just have it remotely erase itself and get a new phone with the same phone number.
My point is, I don't understand how a password can ever compare to authentication via an authenticator app. If you lose the phone, remote wipe it and get a new one. If people try to spam you with verification code text messages, they'll be throttled and quickly stopped.
There is probably some huge obvious flaw in this idea I am overlooking. But if there isn't, I think it's viable. Though obviously I don't think it will ever become the norm. It's just an idea.
There are three common factors used for authentication: something you know, something you have, and something you are. The level of security required would dictate which and how many of the factors are appropriate for the situation.
I would not want to have to jump through hoops to log into this site for example but I don't mind it for my bank.
> There is probably some huge obvious flaw in this idea I am overlooking.
You are assuming that the phone network / authenticator service can never be compromised.
The basic idea behind multi-stage authentication is that the probability of all the stages being simultaneously compromised is far lower than that of one of them being compromised.
There is many ways to circumvent remote wipe and not many people are paranoid enough to protect yourself even from majority of them.
Think about it: stolen phone is almost surely gives away your e-mail which has the same phone set as receiver of autentification codes. And you will not be quick enough to block your SIM.
Secondly: trojans. There is load of them whose purpose is to steal bank SMS confirmation code. I saw one which tried to stead Facebook/gmail codes.
It is another layer of safety. Every autentification method has it flaws and combining them is more effective than trying to improve safety of a single one.
Part of it, at least in my opinion, it that passwords are just so convenient. Some people don't have cell phones, and they shouldn't have to. Despite the inconvenience, two-factor authentication is widely used in finances, including bitcoin.