I agree, if your concern is possession of the phone, then soft tokens are almost equal to SMS. The big difference is the ability to intercept the code out on the network (VoIP, Google Voice, etc...).

One thing that I have seen done with RSA tokens that could be done with software tokens as well as SMS tokens would be appending a PIN to the token. That way even if the token is stolen, the thief would need to know the PIN and where to append it. You don't need a biometric to unlock the token, just a password or PIN to be the 2nd factor.

Context here - NIST is setting standards for government security. If you are running a government system or are the vendor selling to the government, this will apply to you. DoD and IRS shouldn't be using SMS 2-factor authentication for users of their systems. DoD is not really the problem here, since 2-factor to them is certificates on smart cards (CAC), but I wouldn't be surprised to see IRS using SMS based 2-factor for some kinds of password recovery.

SMS based 2-factor for taxpayers accessing the IRS...that could be harder to replace.

So Google and the rest of us don't have to abandon SMS for 2 factor, but I'm kinda in agreement with NIST - not the best idea due to the ability to intercept the authentication code.

I think that my wife was tricked into this one. I'm not sure if it is the same company, but here is what happened to her:

1. Bought Tickets on TicketMaster.com (paid 50% in "fees" - bastards)
2. After she finished paying she was sent to a site where they offered a "free trial" for some kind of discount service. Being that it came after the checkout she just closed the web browser.
3. Company starts billing the card she paid TicketMaster with several months later.
4. We notice the change and have it charged back.
5. They claim we signed up by _NOT_ explicitly doing anything on that page after the checkout. We should have unchecked the "sign me up" and then submitted the form to not sign up.
6. We and our bank disagree and charge them back anyway.

The real kicker is that they never even tried to deliver the login details to their "discount" website to her. I never thought that I could have a lower opinon of TicketMaster, but that did it. Bunch of rat sucking, baby raping, bastards.

I think that RedHat and/or IBM need to issue a press release like this very soon:

Steve Ballmer recently said Linux infringes on Microsoft's IP. We call bullshit.

Mr. Balmer: If you think or any of your associates know of a way that Linux is infringing on one of Microsoft's patents or copyrights, tell us. We will fix it.

However, we will not be playing guessing games like your friends over at SCO wanted us to. We will however open up our patent war chest and start World War III if that is what you really want.

Simply put - put up or shut up. And if you prefer neither will can do the latter for you.

Your move Mr. Balmer.

Something like that would be nice to nip this in the bud now. Just fewer typos and spelling errors.

If you don't mind writing a script or two, you're not looking at something that's impossible on a lighter budget. The X10 standard is actually pretty sucky, but I put it in my old house and it worked out okay. Raised the value of the house roughy 10X what I put into it, too. Anyway, check out smarthome.com, specifically this product.

Disclaimer: I haven't used this specific product. I have used just about every other X10 product, though, and the smarthome site does a pretty good job of explaining how to set things up. I used to use a wireless transmitter on my Linux box and some scripts put together called "firecracker" to communicate. Simple cron jobs did the rest. If I recall, I also had a device that transmitted/received from a serial port to the power lines directly, but I don't know if they still sell those or not.

If you really want to control your heat and A/C this way, I STRONGLY suggest taking lots of temperature samples of where things are at and ensuring you aren't wasting energy because of poor control systems. One mistake in code and your bills will go wild.