Facebook, twitter, amazon, ebay etc all use HTTPS to sign in.
I read it was very easy for a third party to be recording passwords that are entered when HTTPS is not used.
This could be a way getting users passwords which they may also use for other sites including commerce.
Interesting system. I assume the back up codes are only in case I get a hacked or loose my password? I feel like I wasn't paying attention. Edit: just read it again so yes. See I was paying attention.
I used the email system. Worked fine. Does the app path support all mobiles (blackberry and windows) or just Andriod and iOS?
I've written the backup codes down in my little book of passwords. Which if it ever gets stolen will mean I am totally stuffed. I've been thinking of labelling my little book with a sticker to dissuade all interest in its contents. Some thing like 'Research notes into political and economic theory and forecasts on a post democratic society entering Oligarchy'