- Is the Cisco MARS mission going to abort?
- First iPhone worm spreads Rick Astley wallpaper
- 10 stunning 3D buildings made with Google SketchUp
- Open source software ready for big business
- Four reasons to buy (and one reason to avoid) the Droid
Mich Kabay takes a high-level view of security issues and provides resources to help safeguard your corporate and personal security.
My friend, colleague and former graduate student Carl Ness recently wrote to me excitedly, “It's about time this reached the consumer... I got mine yesterday, and I must say, it works really well. Now if my bank would just get a clue...” That Web page reveals that PayPal has (finally) announced cheap, effective two-factor authentication for the masses.
For an affordable $5 fee, PayPal will send anyone a pseudo-random password-generating device that creates a six-digit security code tied to the device's serial number every 30 seconds. That means that if there are no repeats in the sequence, it could take up to 11.6 days to hit the same security code by chance.
If logon sequences are programmed with a reasonable delay to prevent multiple attempts without a timeout after, say, three errors, then assuming even a measly one-minute delay before being able to continue trying security codes, it would take on average about 116 days (keyspace 1e6 codes / 3 = 3.33e5 triplets = 3.33e5 minutes = 5.55e3 hours = 2.31e2 days = 1.16e2 by the Central Limit Theorem).
In other words, if properly implemented, this device will be significantly difficult to bypass.
Randomizer tokens offer tremendous improvements to authentication, especially for Web-based commerce. They make man-in-the-middle attacks far more difficult than password-only authentication, and they greatly reduce the effect of stolen or compromised passwords.
Users are accustomed to carrying security devices of a similar size: electronic keys for cars. Adding another to their key fob will be no problem. Even if the device is lost, it’s useless without the user ID and password.
My hope is that many other businesses will piggyback onto the PayPal initiative. Like my correspondent Carl, I would be delighted to learn other organizations were adopting the system immediately; I must send this article to my bank, my credit-card company, my book club, my CD club, my DVD club, my phone company, my insurance company, etc., etc.
M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.
Rss FeedRss Feed
The Leader in Network Knowledge
Comments (16)
RE: PayPal Security Key: Two-factor authentication for $5By Ed on July 10, 2007, 10:24 amPiggyback is the operative word. I would like to see other organizations USE the SAME device so I don't have to carry around multiple randomizers. Re: PayPal...
Reply | Read entire comment
Good idea, but....By zigip on July 10, 2007, 10:48 amWhen I go the grocery store, I hand the cashier a little ID (not credit) card to let them know that I am a repeat shopper so that they can print out the right coupons...
Reply | Read entire comment
PayPal Security - A positive social impact?By The Security Skeptic on July 10, 2007, 10:53 amI'm cautiously optimistic that PayPal can be a catalyst for broader adoption of multi-factor authentication. If PayPal can demonstrate that they can truly keep...
Reply | Read entire comment
man-in-the-middleBy iseletsk on July 10, 2007, 10:58 amSuch tokens can do little not nothing against man-in-the-middle attack. Yes, the password compromise is not that dangerous anymore. Yet, the attackers are usually...
Reply | Read entire comment
I like the idea of increasedBy Anonymous on July 10, 2007, 10:58 amI like the idea of increased security, but how many of these are we meant to carry, or are we to have "fob minder" cabinets above our PCs?
Reply | Read entire comment
I agree whole heartedly.By Anonymous on July 10, 2007, 11:47 amI agree whole heartedly. Until there is a central repository that the web services I use sync with, allowing me to carry one randomizer good for several sites, I...
Reply | Read entire comment
View all comments