[anlif]

The same idea is used in Norway. Most banks and public services (e.g. tax returns) use this system for online two-factor authentication.

[1] https://www.bankid.no/en/

[shshhdhs]

Didn't NIST just say two factor via mobile is a "bad idea"? Have Norway or Estonia responded?

EDIT: Thank you whoever downvoted an honest question that added to the discussion

[brainfire]

The bad idea is being sent a (potentially interceptable) SMS with a code.

The Estonian method is described as using a private key present on the SIM card, just like a normal smart card used for authenticating/signing.

[candiodari]

That's how every bank I know in Australia, at least 2 US banks and 4 European banks do it. Transfer (sometimes login too) ? Code over SMS.

Besides, pretty much all banks simply use 2 or 3 factor authentication as an anticompetitive tactic (half the businesses in most countries pay the banks 2-300$ per month just for scheduled download of transactions)

[captn3m0]

I think that was for SMS, not specifically mobile.