Paypal Security Key and Multifactor Authentication

By Randy Jensen | Aug 23, 2007

windowslivewriterpaypalsecuritykeyandmultifactorauthentic 11e30securitykey thumb11 Paypal Security Key and Multifactor Authentication After listening to an episode of Steve Gibson’s Security Now podcast about the new PayPal Security Key, I promptly ordered one.

If you’re not sure what the Security Key is, it’s a small dongle that is linked to your PayPal and eBay accounts. It has a small screen that shows you a six digit number when you press the button. Why is this important?

Well, I’m glad you asked. This brings security to a whole new level that’s referred to as ‘multifactor authentication’.

Single Factor Authentication

To understand how the key works, you need to understand how the current system works. When you login to your PayPal (or eBay, last time I’m going to say that, promise), you will type your username and password and you’re logged in. This makes it very easy for hackers to get into your account either by compromising PayPal’s servers or with some type of keylogger. This method is called single factor authentication. It’s simply “something you know” (or something a hacker knows:).

Multi-Factor Authentication (2-Factor)

Enter the security key. Now, in order to login to your account, you need to have “something you know” (your username and password) and “something you have” (the six digit random number from the security key). We now have multifactor authentication. Now, to login to your account, you enter your username and password, but it also needs the six digit randomly generated number. So what you do is push the button and enter the number immediately after your password (eg. mypassword123456).

Do you see why this is so powerful? Let me explain. If a hacker were to compromise your account, he would have your username and password. Now PayPal allows you to bypass entering the security key numbers one time and in its place, answer your secret questions. So he could still only get into your account if he knows your username, password, and your most beloved second grade teacher (however highly unlikely).

Beginning to see? How about if you have a keylogger on your computer that is phoning home to a hackers server? Yes, he would be able to get the six digit number simply because he has a file with everything you typed…but the number on the key is only good for 30 seconds. This means he would only be able to gather information on one person at a time since he would have to sit and watch his logs and immediately login as you, as soon as you type your login info.

Multi-Factor Authentication (3-Factor, the Holy Grail)

So we know how crappy the current single factor authentication system is, and we know how much better the 2-factor system is…what’s left?

The holy grail of all security is 3-factor authentication. This means you still need to have “something you know” and “something you have”, but the third variable is “something you are”.

“Something you are” means that in order to login, you need all the previous credentials (in one form or another), but you also need….well, you. Examples of “something you are” authentication could be a retina scan, fingerprint scan, voice scan, etc.

Downfalls

So if all of this is known, why isn’t everyone using it? Because humans are a bit slow, especially when it comes to technology. Could you imagine telling your grandma that in order to login to her ‘internet mail thingy’ she need to type her username and password, followed by her randomly generated six digit security key number and finally a retina scan? I can’t. Hell, I know people younger than me that look at me like I’m on crack when I tell them that their current password of ‘password’ isn’t very secure.

My first reaction was “no way in hell I’m going to be carrying one of these things around for each bank account, paypal, ebay and anyone else who wants to implement this system”. After listening to the PayPal guys, they’ve (of course) already thought of this. This system will be rolled out as the ’standard’ so one key will work with anyone who decides to use it.

Also, what if you’re on vacation or at work and you’ve “something you have” is at home and you don’t actually have it…then what?

What if you have an accident and your hand is badly injured and you have a fingerprint reader to get in to your office?

Not complete showstoppers, but things to ponder none-the-less.

Final Thoughts

I won’t go into too much more detail because I don’t want anyone’s eyes to glaze over, but you should be able to see how flawed and useless the current security system we have in place on the web is.

I strongly urge everyone to get a Security Key from either address below if you are a PayPal or eBay user:

http://www.paypal.com/securitykey
http://www.ebay.com/securitykey

I’ve been using mine for a little over a week and I want to commend PayPal on pushing the envelope in terms of new and more innovative ways to protect it’s users.

Recap

Single Factor Authentication: Something you know (eg. username and password)
2-Factor Authentication: Something you have (eg. security key)
3-Factor Authentication: Something you are (eg. fingerprint)


  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Design Float
  • DZone
  • Ping.fm
  • Reddit
  • Slashdot
  • StumbleUpon
  • Technorati
  • TwitThis
  • Yahoo! Buzz
Copy the code below to your web site.
x 

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

blog comments powered by Disqus
© 2009 Randy Jensen Online, - PassionDuo WordPress Theme