Note that the login has no apparent lockout, which is a good thing (i.e. it took me about 10 times to remember my pwd)
On new logins it asks for the answer to the favourite question:
Note that this 'extra step' doesn't show all the time. Here is their explanation for showing it:
The email and phone number need to be verified.
For example this is what happens when I triggered the phone verification process:
SSL only experience
Even if login via http., the login is done over SSL which is preserved after login:
Its all about trust , threats and risk:
I really like their approach, since it is a good balance of security vs usability.
It also shows that security features are very closely connected with the trust level of the website, its threats and risk profile.
For example some of these would be over-the-top (in the current version) of TeamMentor