Manthan

Infoworld has an article indicating PayPal launching a mutli-factor authentication scheme using security key.

The security key is actually a small electronic device, designed to clip on to a key-chain, that calculates a new numeric password every 30 seconds. PayPal users who sign up to use the device will need to enter their regular passwords as well as the number displayed on the key whenever they log in to the online payment service.

This is welcome development and something that I have been writing about for the past two years. The cost of such a device is $5. A small cost to pay to secure the PayPal account from Phishers and hackers.

What took so long ? Where is Google, Yahoo and MSN on this ?
While this is a welcome change, I would like to see industry wide adoption of this and have a single device for “all online identities”. It doesn’t make sense to have five different devices for five different accounts, say yahoo, Google, MSN, Amazon etc.

Combining RSA tokens with Mobile phones
Another user friendly option is providing such a “two factor” authentication over the cell phone. This will alleviate the need to carry multiple devices and new Websites can be added as when they adopt this security mechanism. Most internet users I know generally have access to a cell phone and they carry it around when they are traveling. So it makes a lot of sense for putting the “secure key” on a cell phone rather on a separate device.

Software Secure key and works on all Cell phone models
It can be “software based key” which can be installed on various different models of cell phones. Each time a new website rolls out “secure key” authentication model, the software key can be synchronized with that website. This way multiple Application can be authenticated using just one device and that device is something most of us carry around in any case.

This is a good opportunity, which is waiting to be tapped. The difficult part is not building the software key but convincing all the different companies to go with the same authentication model.

BoingBoing has a post about how citibank’s on-screen keyboard is defeated by Trojans.

A new trojan that records screen-movies has been discovered in the wild; the malware specifically captures your mouse as you laboriously enter your password into banking sites that use on-screen keyboards to defeat keyloggers

Its time the pin heads running the banks start providing two factor authentications. With the spread of cell phones its time the Banks use a two factor scheme where the tokens can be obtained via an SMS on the cell phone or use Cellular Authentication Token. Simple user name / password schemes are archaic and have lived beyond their purpose.