marcel - 7:07 am on Sep 9, 2010 (gmt 0)

but in case the sms system fails, stolen phone, damaged or just no signal or battery, the web is still working but I will be unable to login

Yes, unfortunately this is one major drawback, but not only this technique, a SecurId token for example can also be lost or damaged (although it isn't susceptible to mobile network outages). We're looking into some kind of backdoor which can be manually opened when necessary.

The mobile phone number can be changed for the user by the Administrator though (in case of phone loss). Meaning the admin can login, change the users mobile phone number and the User can try again.

they send access code to both Email and SMS

We looked into that as well, but unfortunately most of the users we are catering to use the same password for their mail as for this application. (no matter how often we tell them that they shouldn't...)

the access code is valid for a certain period of time

This is also an option the customer has mentioned, more due to cost than any other reason.

The problem I have with this method is that it totally removes the security they first asked for, which is a OTP (one time password) system. But in many case this would be a very acceptable solution.

I do not know the exact costs but you may also want to check the verisign identity protection system.

Thanks, I hadn't yet heard of that system, we'll look into it.