I don't quite understand number 3? Can you elaborate number 3 a bit? How is that being used? Can SSL do the same thing? Or do you mean preventing CSRF kind of attack?
Multi Factor authentication is basically using multiple factors to authenticate a user, like texting a number to the person's cellphone to authenticate them if they are visiting from a IP that is not familiar with the system. Its basically using a second piece of information besides a password to ensure that a user is who they say they are. The sending a text message with a number is a real popular way of doing this. Think as well as a pin and a credit card at an ATM. Sure you have to use your ATM card at the ATM to prove your identity but you also have to use a PIN to add an extra layer of security. This significantly reduces the risk of a breach on someones account.
My previous reply was bad, and for that I apologize. Yes, use application keys for your services/controller to make sure that it indeed an app. This prevents session spoofing and CSRF. Rails does this automatically, so do a lot of other frameworks/languages so it isnt a big deal, but some people use services built on Scala or another language without frameworks, so they tend to be susceptible.
