Wait...what?

From what I know, the biggest security problem is those emails that say, "You need to log in to verify something!"

I find this a bit unnessicary.

So is Paypal going to require everybody to buy one of their magical $5 keys? Or is it optional?

Funny how I get a ton of those emails right after I need to use Paypal for something (which is rarely).

I've dealt with these tokens for various security things with companies I've done work for. Pain in the ass. Paypal should be paying us for using them.

My dad uses one of those. He works in defense contracting, making guidance systems for missiles. I don't feel important enough to have a thinggy that randomly generates numbers.

Cool, except that I've already got one of these from E*Trade...and I hear Bank of America might be sending me one too...how many of these things am I gonna have to keep on my keychain?

For those who don't know, the token works by running a unique random seed value and a timestamp value through an algorithm to generate a key number that changes every 60 seconds. The clock inside the token is accurate enough to stay synced for years, so the auth server runs the same algorithm the token runs to compare the key and return a pass/fail.

Every implementation I've seen combines the token's code with a standard password - this is what is called "two-factor" authentication, the factors being something you know (your account number and password) and something you possess (the token). This lowers the possibility of someone accessing your account if they steal your SecurID (much like ATM card + PIN auth systems).

An ideal solution to the four-tokens-on-my-keychain problem would be a centralized SecurID authentication service, so that one could carry a single token to authenticate with any client site. However, I doubt the sites themselves trust a single outside party enough for this to ever gain traction (remember Windows Passport?). But if this does happen I will be a happy man indeed.

Paypal sucks to begin with. I don't know if I want a token that ensures my security on a system that is threatened more by their own business practices than outside hackers. Is the token going to prevent them from freezing my balance and dipping into my checking account at will? If not, they can stick it.

AlteredBeast:

This would guard against those emails, because the phisher would need the number from the device to log in and clean out the account. Since that number changes every 30 seconds, he would have to prompt for the magic number on the fake login phishing page, then manage to log in to paypal within 30 seconds after the user was phished. Since the magic number keeps changing, he won't be able to log in more than once.

They're not SecurID -- that's an RSA brand. Paypal is selling VeriSign tokens.

Ugh, this really sucks. I use Paypal mainly for eBay purposes, and I could easily get along without it considering how infrequently I eBay, but several of my mystery shopping companies only pay through Paypal. I don't think it's right that I should have to "pay" for this device in order to get paid. When I'm done with Paypal, can I send it back for a refund? I doubt it.

k4

This would guard against those emails, because the phisher would need the number from the device to log in and clean out the account. Since that number changes every 30 seconds, he would have to prompt for the magic number on the fake login phishing page, then manage to log in to paypal within 30 seconds after the user was phished. Since the magic number keeps changing, he won't be able to log in more than once.

Or, they can just email members and say "Don't be a damn idiot! Dont log in through emails! Log in through the Paypal home page!"

And save lots of time and effort.

Unless, of course, they are turning a profit from these stupid devices.

Oh great -- this gets popular and our key ring will be larger than the high school janitor's key chain. What's wrong with the Bank of America and ING schema where you see a picture of a daisy (or whatever) then click the virtual keypad?

It looks to be optional, but they'll probably make you jump through so many hoops otherwise it'll be better just to buy the thing.

These are awesome...nothing like setting up a numbers racket by playing which number comes up next...

They're not SecurID -- that's an RSA brand. Paypal is selling VeriSign tokens.

Kevin, I think you might be wrong there. RSA's website stays they sell SecurID. http://www.rsasecurity.comnode.asp?id=3051

Disregard last. I misread your comment.

It won't help with a "man in the middle" attack, i.e. if the phisher knows what they are doing and the user falls for the fake web page.

But the big question is will they accept you knowing the number as proof you exist instead of having to fax copies of your utility bill at 3:30am to get your account unlocked?

Somehow I don't think so.