Isn’t it true that it is fairly trivial for attackers to spoof the number they are calling “from”? If so, this could be a serious security weakness, couldn’t it?
Spoofing the phone number is not very hard. That said, you'd still need the PIN to gain access to the email. A 4 digit pin is not the most secure thing around, but the combo of the phone number and the PIN seems reasonably safe. Thoughts?
1. It is omitted from the steps in the main content area, and
2. Due to a design neurosis I have, I did not process the bit at the top that talks about the PIN being required because my brain fixated on the different icon styles (Logo: what I think of as SVG style; Gmail: well, Gmail; Phone: Silk-esque; PIN/shield: Vista/Win 7). I trust the vast majority of your visitors will be able to retain the information you presented instead of doing whatever my own mind does…
Anyway, thanks for pointing that out. I think I’ll try it out!
A 4 digit pin isn't good enough if you care at all about thwarting serious attackers. Do a quick calculation of how long it would take an attacker with a script and 10 phone lines to get access.
Maybe you could translate a longer password into the corresponding touchtones?