In theory, a great idea.
In practice, I could see an approach such as this being open to abuse and would require a few additional steps such as regional locking, maximum attempts per hour/day/month, etc.
The potential for crashing the service, or racking up huge SMS bills would be quite high, and similar risks with email spamming. (A malicious person/group abusing the login page)