Hi Caesar, yes there are some options for certificates, ok with $5 USD you can buy a domain verified certificate, if you need business validation, you could spend more, depends on your business needs.
Email and Phone are not effective for authentication because these channels can be (and in fact are) listened by a "man in the middle". Security is a serious concern for business. In fact, finantial and banking systems do not use Email or Phone for access to the user's accounts because this channels are not enought secure, and money is a serious matter.
Authentication by social networks is not two-factor authentication, because social account is not "something only the user has". Social networks use the user information in a variety of ways, for instance: "who access, what app, when, from where".
Social experiments consist in modify the social network behavior and observing the response of users. Social networks could perform experiments on the access to your app. Also, social networks can sell the information of who, when and from where the people access your app. What about privacy?
How secure can be a system? In my opinion the answer is binary: nothing or high-secure.
If you use password-only or password with email/phone/social authentication, in both cases your system is an easy objetive for hackers, for this reason is very important to include the maximum level of security that you can reach.
Two-factor authentication with token is a very good solution in terms of cost/benefice. You can buy one token device (OTP) by $10 USD or use a virtual token for free.
Is easy to implement your own two-factor authentication system based in tokens TOTP (Time-Based One-Time Password), the algorithm is public, see: RFC 6238 http://tools.ietf.org/html/rfc6238 This document includes the algorithm implemented in Java,
Which is the better option for developers and testers in terms of cost/benefit?
1. With AWS EC2 you pay per hour. AWS offer new low cost EC2 Instances with burstable performance starting with 1 GB in RAM. Very good option in terms of cost-performance.
2. With Google you pay per minute.(minimum 10 minutes). Google offer two configurations with shared cores (614 MB and 1.7 GB RAM). With the "Sustained Use Discounts" you can reach an effective discount of 30%
3. With Azure you pay per minute. Azure offers only one configuration with shared cores (768 MB in RAM). But SQLServer needs at least 1 GB in RAM...
The "shared core" option is less expensive because you pay ONLY when your VM is consuming cycles of CPU (in other words, when App Server and DBMS are running; non waiting for requests).
Could Azure offer more configurations with shared cores and more memory?
If you have a web server, you must buy a certificate in order to implement https. You can buy a strong certificate by $5 USD/year, cheap or not?
Identity services using social networks are cost free, but are not enough secure, consider the recent security issues of some social networks (remember the massive "password hacking" in some social networks).
What about the recent "social experiments" carried out by some social networks? would you like that your App be part of experiments in social networks? what about privacy?
1) "something only the user knows" (aka password) 2) "something only the user has" (for instance, a token device)
Two-Factor authentication with phone or email ARE NOT effective because communication can be "known" by the service provider. Phone and email are not "something only the user has"
A token-code generated by a Mobile App works well, but the "secret seed" (which is needed for generate token-codes) must be encrypted using a PIN code. This PIN can be seen by a third person while you are typing into your Mobile device.
Hardware tokens (OTP: One.Time Password) are more secure because the "secret seed" is stored in a secure memory, no-one can see this secret key. Those devices are used by users of banking and financial systems to access their accounts.
OTP also are used for login into a Cloud (for instance Amazon AWS).
By other hand, Why Banks & Financial Services do not implement login using social networks? Can you trust social networks to access your money? Consider the recent security issues of some social networks.