The down-side of having Application to generate the code is that for some reason I can don't have my Mobile Device handy and I need to login. I do have my email accessible 99% if I am on the internet in case if I need to authenticate myself though.
This is the downside that is mentioned by Google too: you only can use this if you all 100% times have your mobile phone with you at time when you login. This ensure needed level of security and doesn't fallback to sending random code by e-mail which can be stolen by attacker.
Also, did you mean that I won't be asked for a password at all if I have authenticated with through my App? In other words, my password is random every time?
Nope. This is called 2 factor authentication because you always enter a password (as 1st factor) and a random mobile phone generated code (as 2nd factor).
I like both ideas - yours and mine, and think we should ultimately do both. Mine can work great for Front-end authentication and Admin. Yours would be more Admin, but also can be used on Front-end I guess.
This is not related to my original idea and is absolutely different way of security:
- when computer cookie missing, then generate it and remember under each user profile who logins
- add setting to user profile called "Allow Login From Trusted Computers Only"
- only allow next login when computer cookie exists and is listed in computer cookie list where user has performed logins.
However this might be 3rd way of logging-in. There might be need for more fine grained control over which computers are remembered like this:
- when user logins from a computer not listed in his computer cookies list we send him an e-mail asking to confirm that it's a trusted computer (with confirm link inside)
- only if user clicks link in e-mail we add computer to trusted list
I don't see a way how we can prompt user to enter human name for this computer (e.g. Home, Work) however.