- More porn sneaks onto the iPhone
- 'Swatting' case shows need to ban caller-ID spoofing
- Why the iPhone can't be "killed"
- Nortel enterprise chief wants to bring back Bay
- US sets final emergency responder wireless pilot
Mich Kabay takes a high-level view of security issues and provides resources to help safeguard your corporate and personal security.
My friend, colleague and former graduate student Carl Ness recently wrote to me excitedly, “It's about time this reached the consumer... I got mine yesterday, and I must say, it works really well. Now if my bank would just get a clue...” That Web page reveals that PayPal has (finally) announced cheap, effective two-factor authentication for the masses.
For an affordable $5 fee, PayPal will send anyone a pseudo-random password-generating device that creates a six-digit security code tied to the device's serial number every 30 seconds. That means that if there are no repeats in the sequence, it could take up to 11.6 days to hit the same security code by chance.
If logon sequences are programmed with a reasonable delay to prevent multiple attempts without a timeout after, say, three errors, then assuming even a measly one-minute delay before being able to continue trying security codes, it would take on average about 116 days (keyspace 1e6 codes / 3 = 3.33e5 triplets = 3.33e5 minutes = 5.55e3 hours = 2.31e2 days = 1.16e2 by the Central Limit Theorem).
In other words, if properly implemented, this device will be significantly difficult to bypass.
Randomizer tokens offer tremendous improvements to authentication, especially for Web-based commerce. They make man-in-the-middle attacks far more difficult than password-only authentication, and they greatly reduce the effect of stolen or compromised passwords.
Users are accustomed to carrying security devices of a similar size: electronic keys for cars. Adding another to their key fob will be no problem. Even if the device is lost, it’s useless without the user ID and password.
My hope is that many other businesses will piggyback onto the PayPal initiative. Like my correspondent Carl, I would be delighted to learn other organizations were adopting the system immediately; I must send this article to my bank, my credit-card company, my book club, my CD club, my DVD club, my phone company, my insurance company, etc., etc.
M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.
The Leader in Network Knowledge
Comments (16)
A good idea..By tuomoks on June 7, 2008, 2:47 amA good idea (nothing new!) but PayPal? I (we) use PayPal a lot but with a caution, some of their behavior is just weird. A money transfer out of PayPal takes days...
Reply | Read entire comment
Can it be used for laptop securityBy Anonymous on June 7, 2008, 1:41 amDoes anyone know of a way or a program that can utilize the Secuirty Key for two-factor authentication to secure a laptop. ie...boot laptop, enter password, enter...
Reply | Read entire comment
Verisign ID ProtectionBy Josh Richards on February 21, 2008, 12:17 pmVerisign ID Protection Network info: https://idprotect.verisign.com/learnmoretoken.v The list members thus far are eBay/PayPal.
Reply | Read entire comment
RE: PayPal Security Key: Two-factor authentication for $5By Jeff Bosworth on July 11, 2007, 3:34 pmWhile multiple key fobs can be a "pain" the overall security is the safety factor. I think wearing a seat belt is an inconvience, but after my first car accident...
Reply | Read entire comment
RE: PayPal Security Key: Two-factor authentication for $5By Anonymous on July 11, 2007, 1:02 pmI think there may be some solutions out there that can solve the MITM and the fistful of devices effect.. Check out what this company called Gemalto has been...
Reply | Read entire comment
View all comments