First look at PayPal’s Security Key

spot_ppSecurityKeyFront_240x134.gif Like we’ve said before, PayPal had increased its security views by allowing business accounts free key fobs, and personal accounts at a low one-time fee of $5 per key.
The two-factor authentication is something that many corporate VPNs have implemented, and banks have been swearing up and down the line that they “will” get to it. Now let’s take a quick look at how two-factor authentication works before we look at the fancy pants device that PayPal sent out.
In single user authentication, a user types the login name and then the password:

login: janesmith
password: abcd

However, with a security key and in two-factor authentication, you have a time period where a secondary password is needed for access. This is uaually placed in right after your regular password. So in the above case with a two-factor solution and if the key displays “123456” then:

login: janesmith
password: abcd123456

paypal_mailer.jpg Hence it came. In one of those hard mailer envelopes via the United States Postal Service. For the five bucks, it was actually sort of surprising considering the cost of the item was both the hardware and shipping which had to cost at least more than your average thirty-nine cents.
The keyfob comes with some pamphlets on how to protect yourself, and is stuffed in a little box. A bit different from usual RSA tokens, where they’re on all the time, these are only on for 30 seconds whie you hit the button to show the six-digit number in the display. Not sure on the lifetime of such devices, but it would have to at least keep a slight charge from the battery to the timing mechanism.
paypal_keyfob.jpg From a use perspective, it was pretty easy to activate on both PayPal and eBay. You enter in your serial number on the back of the device, type in two timed keys together and you’re set to use it. For eBay, we assume this would basically kill any chance of anyone using sniper software, so if you do, don’t go ahead with this unless you know that it’s okay for you to lose the sniping. For PayPal, it’s pretty much business as usual. This extra security is definitely worth the price. Now, the burning question is: how come they didn’t go with a software token which could be downloaded? From a cost perspective, this was probably the cheapest to deliver and combined with hardware keys for all the other operating systems that cannot use the software tokens, that would save a bit. In any case, this was a great thing that this company has done to help protect its users and help reinforce its reputation. Now if only banks would actually offer the same solution set in a timely fashion we might be getting somewhere for securing online transactions…