PayPal Security Key: Two-factor authentication for $5

* PayPal brings a higher level of security to the masses

My friend, colleague and former graduate student Carl Ness recently wrote to me excitedly, “It's about time this reached the consumer... I got mine yesterday, and I must say, it works really well. Now if my bank would just get a clue...” That Web page reveals that PayPal has (finally) announced cheap, effective two-factor authentication for the masses.

For an affordable $5 fee, PayPal will send anyone a pseudo-random password-generating device that creates a six-digit security code tied to the device's serial number every 30 seconds. That means that if there are no repeats in the sequence, it could take up to 11.6 days to hit the same security code by chance.

If logon sequences are programmed with a reasonable delay to prevent multiple attempts without a timeout after, say, three errors, then assuming even a measly one-minute delay before being able to continue trying security codes, it would take on average about 116 days (keyspace 1e6 codes / 3 = 3.33e5 triplets = 3.33e5 minutes = 5.55e3 hours = 2.31e2 days = 1.16e2 by the Central Limit Theorem).

In other words, if properly implemented, this device will be significantly difficult to bypass.

Randomizer tokens offer tremendous improvements to authentication, especially for Web-based commerce. They make man-in-the-middle attacks far more difficult than password-only authentication, and they greatly reduce the effect of stolen or compromised passwords.

Users are accustomed to carrying security devices of a similar size: electronic keys for cars. Adding another to their key fob will be no problem. Even if the device is lost, it’s useless without the user ID and password.

My hope is that many other businesses will piggyback onto the PayPal initiative. Like my correspondent Carl, I would be delighted to learn other organizations were adopting the system immediately; I must send this article to my bank, my credit-card company, my book club, my CD club, my DVD club, my phone company, my insurance company, etc., etc.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT