It is a form of biometric authentication, people employed in high-value account service have extraordinary auditory memory (or visual memory, for the in-person service).
In other words, a wizard does it?
Anyway, given the interest Mr. P wrote out the specification a little, for this thing provisionally called
BTC-UXP. All comments more than welcome.
I did a quick look&see. It doesn't seem to have the protection against placing duplicate orders in case of transport failure/timeout. At the minimum all the imperative verb calls should have an OrderID argument that needs to be unique.
There may be some sort of replay attack made out the above flaw, but I don't have a motivation to delve deeper.
That part's intentionally left blank.
If the exchange implements by-connection security (cookie based/https website logins are of this sort) then all orders are valid even if duplicate. If the exchange implements stateless by-payload security (such as the GPG scheme MPEx uses) then the exchange should also enforce unique-payload (either through hashing or some other method).
In either case these are considerations of exchange security, NOT of communication protocol. At least that's the thinking.