[jof]

This probably leads to a great user experience.

However, if this catches on, SMS sniffing over the air is going to really pick up! :p SMS messages are often carried over GSM control channels, generally unencrypted over the air.

Even when they are encrypted, it's only A5/1 (already broken).

[sgk284]

Just have the login form submit a token that is associated with the SMS token so you can verify the person sitting in front of the login form is the person who also got the SMS code. Similar to common CSRF protection techniques.

For example, the SMS contains a short token. The login form has a (non-visible) 128-bit random guid. When the form is submitted, both tokens are sent to the server and the server verifies that they are both correct.

It doesn't matter how secure the SMS is, it's only one part of the secret. If it's intercepted, the attacker won't be able to guess the guid. Alternatively, if someone is at a login form and trying to guess the short code, just limit each guid to a small number of attempts before expiring.