[brainfire]

The bad idea is being sent a (potentially interceptable) SMS with a code.

The Estonian method is described as using a private key present on the SIM card, just like a normal smart card used for authenticating/signing.

[candiodari]

That's how every bank I know in Australia, at least 2 US banks and 4 European banks do it. Transfer (sometimes login too) ? Code over SMS.

Besides, pretty much all banks simply use 2 or 3 factor authentication as an anticompetitive tactic (half the businesses in most countries pay the banks 2-300$ per month just for scheduled download of transactions)