Assurance

[Tom Golson <>]

If it's for the purpose of "assurance", we're requiring an in-person process.  If it's just something someone wants to add and hopefully make their account more secure, but we're not going make any statement about that binding, then we accept that there isn't a cost-effective way to solve the problem for large populations.

But now that you've asked the question, I'm curious to hear if anyone is taking a different approach.

--Tom

On Thu, May 29, 2014 at 3:09 PM, Steven Carmody <> wrote:

Hi,

We're in the process of evaluating, moving toward deploying two-factor for some applications. We'll probably end up TXTing a code to people's phones.

Its now occurred to us that we should require stronger authN when someone wants to edit their mobile phone number.

We're wondering what other sites have done to bootstrap themselves into the situation where someone MUST have already entered a mobile phone number so they can edit their mobile number ...

what's the best practice to get someone started down this road ?