Phone number login and verification for mobile apps
Can someone shed some light on the security behind mobile phone logins on mobile apps?
Uber and Lyft ask the user to login using their mobile phone, I'm assuming because it is a more unique identifier than email, and then they text you a verification code to enter. Once the code is entered and the mobile number is verified, you are able to login. They also never log you out unless you manually log out.
It seems as though this has taken the idea of two-factor authentication (something you know and something you have) and basically dropped the "something you know" portion of it (a password). Is this true? If someone were to steal your phone they could essentially jump into the Uber or Lyft app and use it as much as they want without ever having to verify (of course until you catch the charges on your credit card).
Is there an extra layer of security I am missing? It may not matter as much for an app like Uber or Lyft, but what about for a medical app that must be HIPAA-compliant? I found 98point6 the other day, and they seem to use the same mobile phone login approach. However, they log you out after 15 minutes of inactivity (HIPAA regulations) and so you must enter your phone number and the texted verification code every time to use the app.
Apologies for the long-winded post, but I just want to understand the benefits of a login approach like this (is it just so that you never have to enter a password?) and further, is there an extra layer of security I am missing that allows for even HIPAA-compliant apps to take this approach?
Thanks in advance!