Safe Telework

Most Embarrassing Telework Moments

noreply@blogger.com (Joel Haspel) — Mon, 06 Jul 2009 15:00:00 +0000

We've all had them - those moments when, suddenly, working in the office looks like it might not be such a bad idea after all.

Kids crying or dogs barking while you're delivering a presentation by conference call from home usually tops the list of anecdotes, but there are countless others. Webcam inadvertently left on so people at the other end see or hear things they shouldn't? Forgot that someone from the office was stopping by to pick up / drop off a package, and therefore neglected to clean up the mess at home / take a shower / put on pants?

In spite of the most mortifying experiences, telework should still be at the core of 21st century workstyles for most white-collar workers. But let's not forget the funny stuff! What's your most embarrassing telework story? We'll collect the best and publish them in a few weeks.

Securing Your Company's Information

noreply@blogger.com (Joel Haspel) — Fri, 26 Jun 2009 19:09:00 +0000

We originally developed this guide for healthcare companies to help them secure their networks and critical information, but it applies to virtually every company, because almost everyone has some sort of sensitive data on their computers.

Click here to access our Top 10 Tips for securing your sensitive information, particularly as it applies to networks with remote access requirements.

Five key questions your telework policy should answer

noreply@blogger.com (Joel Haspel) — Mon, 15 Jun 2009 15:53:00 +0000

When establishing a telework program for your company, you should strongly consider having a formal telework policy. This written document will outline the program, eliminate gray areas, and help to prevent future disputes. As with any business planning document, it should be considered a "living document" and therefore should be revisited at least once a year.

Your telework policy may contain a wide range of terms and conditions, but should definitely include answers to the following five questions:

1) Which jobs within your company are telework-friendly? Not every job is well suited for remote execution, and some job titles that are easily teleworked in another company may not be in yours. Along the same lines, what types of employees are best suited for telework? Be honest. Elements from previous performance appraisals can provide clues - generally, you're looking for self-starters, those who produce quality work on time and without a huge amount of oversight, and employees who are comfortable working independently.

2) Where can a teleworking employee consider a suitable "alternate work site"? For some people, like computer programmers, a coffee shop may work fine, but for others, like salespeople or customer support reps who are on the phone all the time, a dedicated home office may be required. Again, be honest, and do all you can to get buy-in from the employees so they don't find this decision to be a burden on their productivity.

3) What sort of equipment does a teleworker need, and who's going to pay for it? Does the remote worker need a dedicated laptop, or can they use their personal home PC? Do they need a dedicated phone line, a special phone, or a high-quality headset? Will they be handling company paper and require a fireproof safe or other locking file cabinet? What kind of software will be available to get them to company IT resources (VPN, Remote Desktop, etc)? If answered incorrectly - or worse, ignored - these details can impact efficiency and cause even the best worker to become less productive. With the right environment, that same worker is likely to gain productivity, so pay careful attention to these items.

4) What sort of communication schedule should the teleworker adhere to? Are there daily or weekly team meetings or conference calls already? If so, is there a good way for the teleworker to participate (i.e. conference bridge or WebEx/GoToMeeting)? If you don't have regularly scheduled communication opportunities, perhaps now is the time to implement them. What times of day should the teleworker be available for ad-hoc communication from colleagues, and, just as importantly, what times will colleagues be available for communication from the teleworking employee? Does everyone have email / IM / Twitter / Facebook to allow for comfortable interaction? Communication is perhaps the most subtle, but most critical stumbling block for telework - when we're not all in the same physical location, it takes a little bit of effort and forethought to ensure that teams still cohere, and that the company doesn't lose its sense of shared purpose. By scheduling regular communication opportunities, and establishing a solid calendar of coworker availability, you can achieve purposeful and productive communication rather than the random and often distracting communication at the water cooler.

5) Is telework right for you and your organization? We generally advise against full-time telework all the time. A day or two in the office each week, or at least each month, can be very valuable. Relationship-building, brainstorming, creative thinking, and many other aspects of business life simply work better when conducted in person at least some of the time. Working entirely distant from colleagues can be successful, but it requires such an extreme effort that the benefits are generally outweighed by the cost. For some, it is undoubtedly the right decision - but a decision that should be made with great care. In most cases, research and anecdotal experience points to 3 telework days each week (give or take 1) as the ideal scenario. In-office days can be used for creative, synergistic, team-oriented activities, and work-at-home days can be used for document creation, phone calls, and other more solitary work. When balanced properly, tremendous productivity gains are possible, so think long and hard on this question.

Netbook as Remote Access Device

noreply@blogger.com (Joel Haspel) — Mon, 08 Jun 2009 18:20:00 +0000

There's lots of buzz in the market these days about mobile devices - particularly the latest round of iPhone / Palm / Blackberry smart phones. I love my iPhone, but I still can't imagine doing any real work on it. It's amazing for email, getting a map, seeing the weather radar, updating Facebook, and so much more -- but the screen is too small, and the navigation and keyboard too cumbersome, to possibly do substantial work. If I need to work on a Powerpoint, dig into some Excel formulas, or update the content and images on our websites, I simply can't do that from my iPhone. I need a bigger screen, a full-size keyboard, and preferably, a mouse.

That's where a Netbook comes in. Small but not too small, and coming in at only a few hundred dollars, a netbook (also known as UMPC or Ultra-Mobile PC) can be the perfect on-the-go computer for the mobile knowledge worker. Netbooks all have built-in wifi, and many even have built-in cellular broadband coverage (with a plan from Verizon, AT&T, or Sprint, of course), so you're able to be connected all that time.

That connectivity is critical, because you don't want to fall into the trap of loading all your data and software onto the netbook device itself. That'll tax the capabilities of the device, use the battery faster, and increase the damage if the device is lost or stolen.

Instead, you should think of the netbook as a portable terminal to your information. Don't carry the info with you - reach out across the Internet and work with it in its native location. That means using a secure remote desktop solution to log into your main PC back at the office, or a VPN to connect to the office network. Tools like chat, IM, and even Twitter help to keep you in the loop even when you're miles away. Google docs and other online applications provide another way to leverage ubiquitous connectivity without overstepping the bounds of what the netbook can handle.

What are your experiences with netbooks? Any favorite brands or models?

Security Alert Shows Web Remote Access Weaknesses

noreply@blogger.com (Joel Haspel) — Wed, 03 Jun 2009 17:57:00 +0000

Remote computer access users beware - several new vulnerabilities have been revealed in existing solutions. One solution, LogMeIn, was noted to have such vulnerabilities with the exploits to take advantage and control your PC without authorization. More info here: http://securethoughts.com/2009/06/multiple-vulnerabilities-in-logmein-web-interface-can-be-used-to-control-your-computer-and-steal-arbitary-files/

This announcement leads to a critical question in today's hyperconnected world: just how secure is the web? The answer, sadly, is "not very secure". With the rapid proliferation of web browsers (IE, Mozilla, Chrome, Opera, Safari, and so on), the arms-race style of releasing new version upgrades before the ink on the last version is even dry, and (relatively) new technologies like PHP, CSS, javascript, and so on, browsers are increasingly vulnerable to attack.

Factor in the ever-targeted SSL / CA infrastructure at the core of browser-based encryption and site authentication, and you've got fertile territory for malicious forces.

So what's the solution? Don't use browser-based interfaces unless you absolutely have to. "Real" desktop software is remarkably portable these days - on USBs directly or via U3 or VMWare Pocket Ace, or via download on broadband that's available anywhere you have cell coverage, or even installed directly on the disk of a lightweight UMPC. These solutions can provide additional security through 2-factor authentication. There's no need to risk your critical information on web-based access tools. If you need to have a more secure solution you might want to look for a GoToMyPC alternative or a LogMeIn alternative.

Why Authentication Matters Most

noreply@blogger.com (Joel Haspel) — Wed, 03 Jun 2009 17:49:00 +0000

Most websites and remote access tools use encryption as a way to imply security. The more encryption - measured in bits (i.e. 256 bit is better than 128 bit) - the better. Statements like "128-bit encryption, as strong as online banking" are common across the industry. While encryption is important, and such statements are true, they are also misleading.

Encryption strength only tells part of the story - the less important part, in my opinion. That's because no matter how strong your encryption is, your overall security is only as strong as the authentication used to begin the user's session.

Think about it this way: thick walls, barred windows, and barbed wire fences don't keep prisoners in jail if they can just walk out the front door without someone checking their ID. Similarly, you can have the best encryption, firewalls, and network intrusion detection tools in the world, but if your systems don't properly validate users, those measures won't keep attackers out. Poor authentication is the weak link in the chain, the wide-open door in an otherwise impenetrable fortress.

The problem is that if someone can defeat your authentication, the rest of the defensive systems don't know they're the bad guy. In fact, the rest of the systems - firewalls, etc - think they're actually one of the good guys. Once through the door and inside the walls, the attacker can act as if he or she were a real employee, and your perimeter defenses are rendered useless.

So, what can you do about it?

The answer is simple: implement 2-factor authentication (or 3-factor or more). 2-factor authentication - or multi-factor authentication in the general case - is achieved when a user's identity must be validated by two distinct types ("factors") of authentication. Typically, this means combining something you know, something you have, and (optionally) something you are.

The best real-world example is an ATM. The machine requires you to present both your ATM Card (something only you should have) and a PIN (something only you should know). If one is presented without the other, no money is dispensed. So, a stolen card or a stolen PIN is useless on its own. A retina or fingerprint scan may be added for additional security.

In the case of computer logon, the elements are typically a password (something you know), a USB authentication device (something you have), and an optional fingerprint or retina scan (something you are).

A good multi-factor authentication system thwarts most common break-in attempts, which are based on attacking passwords. Even if your password is lost, stolen, purchased, phished, or otherwise obtained by someone with bad intentions, they won't have your USB device or your finger (hopefully!), so the password does them no good. And passwords are compromised all the time. I've personally run across dozens of documents and pages on the web with passwords for the world to see, and those with more nefarious goals have access to thousands more. With passwords getting weaker and less reliable all the time, it is more important than ever to implement multi-factor authentication.

In the case of remote access, more so than almost any other application, it is absolutely critical to use multi-factor authentication, because compromised remote access systems open your entire network to attackers.

Top 5 Tips for a New Teleworker

noreply@blogger.com (Joel Haspel) — Mon, 01 Jun 2009 17:06:00 +0000

If you are new to teleworking, there are a few things that might be important for you to consider in order to be as productive as possible. These basic things might help make the transition from the traditional office to the home office go smoothly. You should also recognize the your situation could be a little different, but for most part these are good ideas that can help keep you as productive at the house as you are in the office.

1. Have a separate and specific workplace.

Creating a separate and specific workplace is critical to being an effective teleworker. It doesn't mean that you can't mix it up on occasion, but when you are getting started you need to know where everything is and be able to access it quickly. Often as a teleworker you spend a considerable amount of time on the telephone. You don't want to have to jump up and look for the phone when your manager is calling, especially if they are not as sold on the telework idea as you are. It is important that they feel like you are in a productive environment.

2. Try to avoid Distractions

This tip is both for productivity and perception. Distractions while on a skype call or the telephone can be perceived as less than professional. You want to be sure that you have a distraction free area that you can work in during the day. Of course, less distractions will also mean better productivity. Another thing to consider is that home distractions are a little different then office distractions. Some people get distracted by a messy living room or a sink full of dirty dishes. If this distracts you mentally, then be sure to have the house "picked up" before you start your work day.

3. Take a lunch break

Teleworkers sometimes feel that they have to be at their computer for the entire day in order to respond to instant messages, skype requests, and emails immediately. But to be productive at home you need to take the same short breaks that you take at the office. Get up, take a walk, and eat a healthy lunch. One of the benefits of telework is being able to go to lunch in your own kitchen.

4. Get a great telephone

This tip really depends on what type of work you do. If you are a manager or part of a sales team then you might have to spend a lot of time on the telephone. If you are a computer programmer then maybe not. If you are going to be on the phone a lot, get a nice phone with a good "hands free" or speaker phone option. Using a cheap phone will make it harder for you to hear and will require more mental power to listen. Some people like to use headsets as well, so that might be a good option for you. And as a tip within a tip, be sure to have at least one phone at your work area be plugged into a wall. Conference calls can drag on for hours and your wireless phone batteries will not last that long.

5. Check in often

It is important that as a teleworker you initiate communication back with your group throughout the day. This gives your team a feeling that you are part of the group. Hoever, be sure that you are adding value to the goals of the team and not just being annoying. After your work routine gets established this need to connect may go away, but early on you want to be sure that you are adding value and contributing and you team knows that you are easy to reach.

Now, what are some of your top tips? Post any tips you have in the comment area or link back from your blog. Thanks.

Is Remote Access Over the Internet Safe?

noreply@blogger.com (Joel Haspel) — Fri, 29 May 2009 14:45:00 +0000

If you telework, telecommute, or just travel a lot as part of your job, you may wish that you could access the files on your office or work computer remotely. But is it safe?

The safety of your remote access connection depends on many connected attributes. If done well, it can be perfectly safe, and tremendously helpful. If implemented poorly, your remote access systems can be a huge security hole. The two critical areas to manage to ensure secure remote access are authentication and encryption.

Authentication is key because it allows the software system to validate your identity. If another person can convince those systems that they are, in fact, you, then all other security elements are defeated because they will simply grant the imposter the same privileges the "real" you would have. Passwords alone are generally considered too weak for this purpose, particularly if you handle any sort of sensitive data - financial records, HR information, medical records, product information, etc. A "multifactor" authentication system (one where a password is combined with something you have, like a physical USB key, or something you are, like a fingerprint or retina scan) is necessary to truly protect your identity.

Assuming your authentication is strong, encryption is used to protect your data as it traverses the Internet between your remote device and your office PCs and networks. If the data isn't encrypted, anyone can intercept and read the information. With encryption, even if an attacker intercepts the data stream, they won't be able to read the information because it's scrambled. 256-bit AES encryption is the gold standard at the moment, because it requires an absurdly high amount of computing power and time to crack (by some estimates, 149 trillion years), and therefore protects your information against malicious use.

So, when the technology is implemented properly, you can indeed work from home safely.

Top 5 Jobs for Telework

noreply@blogger.com (Joel Haspel) — Thu, 28 May 2009 15:30:00 +0000

Telework isn't for everyone. A factory worker, chef, elementary school teacher, airline pilot, or car mechanic would have a difficult time working from home on a regular basis - at least as their jobs are currently structured. Same for an astronaut, dog trainer, or anyone else with a hands-on sort of job description. Instead, telework is best suited for information-oriented jobs that rely heavily on the computer and telephone. These jobs might include writing, marketing, computer programming, engineering, accounting, legal work, etc.

Here are my top 5. How about you? Post yours in the comment area or link back from your blog, and we'll create a separate entry in a week or two with the best lists.

Top Telework Jobs

Computer programmer

Technical writer

Call center representative

Budget analyst

Medical transcriptionist

Telework Doesn't Mean Solitary Confinement

noreply@blogger.com (Joel Haspel) — Tue, 26 May 2009 19:57:00 +0000

One of the main benefits to working from home or a telework center is the peace and quiet of avoiding rush hour traffic and the distractions of the office. Of course, one of the main drawbacks to working at home is that very same peace and quiet. It can get too quiet. Here are some tips for avoiding the isolation. Post yours in the comment area or link back from your blog and we'll publish a list in a few weeks.

Top 5 Ways for Teleworkers to Avoid Isolation

Turn on some music - not all day long necessarily, but some music (or even TV news like CNN, though I personally find this more distracting) can help to break the monotony and re-energize your creative mind.

Take a break and go outside - walk around the neighborhood, mow the lawn, or just go get the mail. Your coworkers in the office are taking breaks to get coffee, chat with colleagues down the hall, or go out for a smoke. There's no reason you should be chained to your PC.

Take a lunch break!

Contact your colleagues in real time - IM, chat, videoconference, txt message, twitter, FaceBook, or even the plain old telephone will do the trick. Just pick something other than email, which lacks the sense of conversation. Try to communicate with coworkers at least once before lunch and once after, to stay connected.

Get into the office on a regular basis - even if you think you could telework every day, the research shows that's a bad idea. At least one day of in-office time per week is a must-have for a truly effective telework program. That day is best spent having meetings, building relationships, and engaging in creative and strategic exercises. Save the email, web research, and document editing for another telework day.

Telework a Solution for Swine Flu?

noreply@blogger.com (Joel Haspel) — Tue, 05 May 2009 00:48:00 +0000

While it obviously won't help make sick people better, telework is a great solution to keep operating in the face of a flu pandemic - whether it originates in birds, swine, or just plain ol' people. It just makes sense to use a secure remote access solution to log in from home rather than ride on a crowded subway or visit a bustling office building. That's why having a tool like SafeTelework.com is so important -- that way, when something unexpected and bad happens (flu pandemic, ice storm, bridge collapse), you'll be prepared to maintain your operations as if nothing ever happened in the first place.

Telework savings are real

noreply@blogger.com (Joel Haspel) — Thu, 12 Mar 2009 20:33:00 +0000

Here's a great telework savings calculator that shows how much a company can save by implementing or expanding telework and telecommuting programs. For a great real world example, here some information from Sun Microsystems on the amount they and their employees save.

We've got a Telework Savings Calculator of our own here at SafeTelework.com, designed to show how much you can personally save in commuting expenses and carbon emissions by reducing the amount of time you spend driving to and from work.

Telecommuting Security Discussion

noreply@blogger.com (Joel Haspel) — Thu, 05 Mar 2009 14:12:00 +0000

Interesting discussion underway at IT Business Edge regarding security considerations for telework...

Telecommuting calculator and IT checklist

noreply@blogger.com (Joel Haspel) — Wed, 04 Mar 2009 15:54:00 +0000

Knowledge Network provides these useful tools for considering telework program implementation.

Remote Access & Telework Security Guidelines

noreply@blogger.com (Joel Haspel) — Wed, 04 Mar 2009 02:59:00 +0000

NIST recently published an updated set of guidelines for securing computer systems for telework and remote access. The document is available here.

An innovative approach to authentication

noreply@blogger.com (Joel Haspel) — Tue, 03 Mar 2009 22:06:00 +0000

Vidoop, as profiled here is taking an interesting approach to authentication, using the fact that humans are good at identifying and categorizing images. Basically, you select a category of images, and when you go to log in, it presents you with a grid of images, some of which fall into the category you selected. You just type in the codes printed alongside those images, and that is your "password" for that session. While a unique physical device or biometric readout remains the best authentication credential in my mind, this new approach may help to make the "password part" of authenticating a bit less vulnerable.

Single Sign On... Single Factor?

noreply@blogger.com (Joel Haspel) — Thu, 19 Feb 2009 13:55:00 +0000

Fairfield Medical Center announced its adoption of a single sign on (SSO) solution... but no mention of anything more than management of passwords. While SSO is a great tool, and something that makes a lot of sense for most organizations, it still leaves Fairfield vulnerable if any of those passwords are compromised. HIPAA compliance is probably at the top of their list, so I hope they're considering how to implement multi-factor authentication of some sort, particularly for remote log-on to their systems. Otherwise, anyone can impersonate an authorized doctor or staff member simply by guessing/buying/stealing their password(s). Outfitting each staffer with a physical "key" of some sort ensures that their login is protected, and the integrity of the system can be maintained.

P2P Networks Expose Health Information

noreply@blogger.com (Joel Haspel) — Tue, 17 Feb 2009 22:41:00 +0000

This article in Secure Computing Magazine discusses the risks posted by P2P network software, primarily file sharing systems like LimeWire. Medical data is leaking at an alarming rate via tools like this, because they are difficult to control and have a tendency to reach out and collect data from everything they touch. While this article focuses on healthcare data being exposed, it is just one kind of information that is leaking. Financial records, social security numbers, and other data is at risk as well. Perhaps most importantly, passwords and logon credentials are leaking, putting additional systems at risk and threatening a chain reaction. Obviously, banning the use of P2P sharing software would be a good step, and most likely necessary for HIPAA compliance (or Sarbanes-Oxley compliance for that matter) but it is equally important to implement "view-only" systems that prevent the download of sensitive data in the first place, and to protect vulnerable networks and corporate software systems with authentication that can stand up to the loss of passwords and login codes.

Massachusetts Extends Encryption Deadline

noreply@blogger.com (Joel Haspel) — Mon, 16 Feb 2009 19:41:00 +0000

As reported here in Network World, Massachusetts has extended the deadline on its data encryption law until January 1, 2010. The law mandates encryption of sensitive data, particularly personal data such as a combination of a name along with a Social Security number, bank account number, or credit card number.

The law is a good start, but still includes too many loopholes in my opinion. For instance, rather than mandating 2-factor authentication, it calls for "a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices" (17.04 (1) (ii)). There's no incentive to actually implement unique identifier technologies in that language - instead, just set up a policy for some sort of password rotation and declare it to be "reasonably secure"...

Similarly, in 17.04 (3), the law requires that "To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly." I'm having a hard time thinking of many, if any, cases in which it is technically infeasible to apply encryption to records and files being transmitted across public and/or wireless networks. Why is the modifier necessary?

With the drumbeat of data breaches growing ever more constant, it seems that now is the time to get tough and demand -- not just suggest -- the use of best practices in encryption and authentication.

Data Breaches More Costly Than Ever

noreply@blogger.com (Joel Haspel) — Thu, 12 Feb 2009 02:29:00 +0000

According to the latest study by the Ponemon Group, as reported in The Washington Post, the average cost of recovering from a data breach is up to $6.6 million. Even for small companies, an average cost of $202 per customer record adds up quickly to a crushing blow. Now more than ever, it's critical to protect yourself from data loss. That means encrypting data at rest on hard drives and USB Flash Drives, encrypting data in motion when remotely accessing information outside the office or sending data between people, and perhaps most importantly, focusing on strong authentication to ensure that the bad guys can't get in to your systems, even if they succeed in stealing a password or poking a hole in your outer defenses. A little bit of time, attention, and investment in security now will prevent your business from paying a potentially fatal price down the road.

FAA Hacked

noreply@blogger.com (Joel Haspel) — Tue, 10 Feb 2009 12:57:00 +0000

Another high-profile case of data loss occurred last week, when the FAA was hacked. Apparently, files containing social security numbers and medical information for 45,000 current and former FAA employees were compromised.

The data breach drumbeat just keeps getting louder. Take steps now to protect yourself - encryption, 2-factor authentication, strong networking practices, etc.

Kaiser Permanente, too...

noreply@blogger.com (Joel Haspel) — Mon, 09 Feb 2009 20:42:00 +0000

30,000 Kaiser employees are now at risk of identity theft, and the company is at risk of break-ins on any systems without 2-factor authentication, after a recent data breach in California... Just another example of how easy it is to have your password compromised, even through no fault of your own.

Monster.com Employee Passwords Compromised

noreply@blogger.com (Joel Haspel) — Sun, 08 Feb 2009 20:46:00 +0000

As described in this article, Monster.com employee login credentials were recently stolen. Now that hackers have their passwords, Monster's systems are at risk until every last password is changed -- and those users who happen to use the same passwords all over the place are at even greater risk. The solution, of course, is 2-factor authentication. If your password is just 1/2 of the login equation, you're protected even if the password is compromised.

That's the foundation of the SafeTelework with Enterprise-in-a-Flash system, based on patented 2-factor authentication. Ours isn't the only way to do it, though we think it's the best. Even if you choose a different product, please be sure it has 2-factor authentication enforcement 100% of the time. Otherwise, you're just putting yourself at risk.

Phishing For Second Factors

noreply@blogger.com (Joel Haspel) — Fri, 14 Nov 2008 13:57:00 +0000

Just when you thought second-factor tokens from banks meant it was safe to go back in the (online) water, a new phishing spoof targets Citibank's two-factor token system.

http://voices.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html

This is something I've been nervous about since the very first of these random-number-rotation tokens came on the market. While certainly better than nothing, they remain vulnerable for the time that the current random number is valid. Even if that's only 60 seconds, it's still a viable window for attack.

The problem remains that it's just another password that is entered into a box and submitted across the wire to a server. That means it can be captured / stolen / spoofed, and during the 60-second window, it's the same as any other password.

The only solution is a device that has unique physical properties that are read and incorporated by the software directly into the authentication process in real time, rather than numbers that are transmitted across the connection.

This is the driving consideration behind the patented SecureChannel system at the core of the Enterprise-in-a-Flash secure remote access service.

Phones as second factors of authentication

noreply@blogger.com (Joel Haspel) — Fri, 17 Oct 2008 16:36:00 +0000

I've been noticing a trend in the market towards acceptance of phones, particularly cell phones, as a mechanism for enforcing multi-factor authentication. While I applaud the attempt to make multi-factor authentication more ubiquitous by tying it to an already-prevalent device, I am worried.

Basically, the way it works is that you input your phone number into your profile at the online service you're logging into - be it a remote desktop product, your bank, or some other system. Then, when you hit the login page, you enter your username and password, and the system sends a message to your cell with a One Time Password (OTP), or calls you, at which point you press a button to indicate you've received the call. Once the host recognizes the OTP or receives your call confirmation button press, you're logged in.

It seems to me that there are several opportunities for trouble here.

First, it's complicated. Not very complicated, but complicated enough. It's another step or two that the average user may simply opt out of. Will users really adopt it if it's an optional feature?

How about logistical difficulties: Do I have to pay for the text message or call minutes every time I log in? What happens if I'm in an area without cell coverage, like a basement office or a remote vacation spot? What if my phone runs out of battery?

In terms of the security itself, what's to prevent someone from stealing my (presumably single-factor) website login and modifying my profile to put in their phone number?

In the end, I think it's probably better to stick with industry-standed methods for multi-factor authentication -- primarily separate hardware authentication tokens, issued in unique fashion to each user. This is just too important to entrust to a clever but potentially flawed methodology.