On Ebay’s security Key

January 11th, 2007 admin Posted in two factor authentication |

Infoworld has an article indicating PayPal launching a mutli-factor authentication scheme using security key.

The security key is actually a small electronic device, designed to clip on to a key-chain, that calculates a new numeric password every 30 seconds. PayPal users who sign up to use the device will need to enter their regular passwords as well as the number displayed on the key whenever they log in to the online payment service.

This is welcome development and something that I have been writing about for the past two years. The cost of such a device is $5. A small cost to pay to secure the PayPal account from Phishers and hackers.

What took so long ? Where is Google, Yahoo and MSN on this ?
While this is a welcome change, I would like to see industry wide adoption of this and have a single device for “all online identities”. It doesn’t make sense to have five different devices for five different accounts, say yahoo, Google, MSN, Amazon etc.

Combining RSA tokens with Mobile phones
Another user friendly option is providing such a “two factor” authentication over the cell phone. This will alleviate the need to carry multiple devices and new Websites can be added as when they adopt this security mechanism. Most internet users I know generally have access to a cell phone and they carry it around when they are traveling. So it makes a lot of sense for putting the “secure key” on a cell phone rather on a separate device.

Software Secure key and works on all Cell phone models
It can be “software based key” which can be installed on various different models of cell phones. Each time a new website rolls out “secure key” authentication model, the software key can be synchronized with that website. This way multiple Application can be authenticated using just one device and that device is something most of us carry around in any case.

This is a good opportunity, which is waiting to be tapped. The difficult part is not building the software key but convincing all the different companies to go with the same authentication model.


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

One Response to “On Ebay’s security Key”

  1. Nick Owen Says:
    January 11th, 2007 at 11:23 am

    Unfortunately, this deployment will still be vulnerable to MITM attacks and malware. They would be better off using the OTP for authenticating the transactions. Without mutual authentication, that is, authenticate to the user that they are on the correct host, there will still be MITM attacks.

    Nick

Leave a Reply

« Few things to check before moving to Custom Blogger Domain
Google Office, Access the missing feature. »