Add Super-Protection To Your Logins With $5 Security Key

If you have a PayPal or eBay account, or use OpenID to login to participating sites, then for $5 you can add a second layer of security that is virtually impossible to break unless the thief physically locates you and steals a little plastic device. The PayPal Security Key is a small, keychain-ready fob with a unique ID that’s tied to your account. It generates a new six-digit code very 30 seconds, which you have to enter whenever you log in. The down side is you have to have your security key with you in order to read the code. But the benefits are huge: you basically have a 2nd password that changes 2,880 times every day—and that isn’t available anywhere online.

PayPal is selling the security keys directly, although they’re made and maintained by Verisign. According to this technology blog, the keys “will work with many banks in the future,” but Verisign makes no mention of this anywhere on its site. However, if you have begun to use an OpenID on sites like Basecamp, Zooomr, LiveJournal, Technorati, and hundreds of others, then you can create an OpenID account through Verisign and use the security key with OpenID.

If you lose the security key, PayPal says there are ways to verify your account in order to regain access, but they don’t provide details on their website. So, uh, don’t lose it.

[Update: Ben says if you lose your security key, you can regain access to your account by answering a few additional security questions.]

PayPal Security Key [PayPal]
“PayPal’s New Security Key Opens a World of Possibilities” [CaveMonkey50]

RELATED
Entry on OpenID [Wikipedia]
Verisign Identity Protection Token [Verisign]

Comments

Edit Your Comment

  1. Tush says:

    My bank (ICICI) in India already does this, it’s definitely a good idea.

  2. newlywed says:

    my cousins who work in the financial industry have this – i want!

  3. chili_dog says:

    All well and good, until you lose it and have no access to your account till a new one arrives.

  4. letoofdune says:

    My girlfriend works for the gubment in Washington, DC, and has one of these. We use it as a handy even/odd random number generator when we can’t decide between two options. See, it even has multiple uses!

  5. Antediluvian says:

    We use these for each of our E-Trade accounts. Makes for a heavy keychain, but we feel much safer. And if they’re stolen, they’re useless without the other info (the stuff in your brain– accounts and regular passwords). Just don’t write THAT info on the SecurID fob.

  6. castlecraver says:

    I have one and it’s wonderful. My only complaints: I wish more online services utilized this sort of security feature, and I wish they’d implement a key-generator I could load on my mobile so I don’t have to carry the fob everywhere.

  7. Anonymous says:

    Old, old news. They’ve been doing this for some time now. I have to use one of these to use VPN for the company that I work for. Doesn’t add a lot of security when most people that I work with store them with their laptop.(its too much of a pain to have to carry ANOTHER device around)

  8. castlecraver says:

    Oh, and oftentimes having this (as I don’t carry it everywhere) cuts back on the impulse eBay purchases.

  9. CoolTri says:

    I Forgot how nice it looked all the logo’s have wore off of mine. I have had this for over a year hanging from my key chain. It does get a little annoying to have to go get my keys to do any PayPal transaction but in the long run I know its only me accessing my account.

  10. for paypal its somewhat useless in the sense that if you don’t have it (or you’re a thief) you can still logon to the account with a credit card #, checking acct # or security question answers

  11. bluesunburn says:

    I’ve had one of these for a few months now, and it works really well.

    The few times I misplaced the keytag, Paypal just asked me some extra security questions to authorize me.

  12. nweaver says:

    If you just use the credit card only, who the F@#)(* cares, you are protecting paypal, not yourself.

  13. britne says:

    I’ve had mine for about a year, when they started giving them out for free to people with a PayPal business account, don’t know if they still do that for free though. Sometimes a hassle, but I like the extra security. The only thing I don’t like is that it ties into my eBay (and therefore Half.com) accounts, so updating my sales/auction items is a little more trouble than it’s worth. I’d like to see the option to choose which services you use it with.

  14. tkozikow says:

    I was an early adopter, but refuse to carry it on my keychain which means that it sits on my home office desk. Since my wife refuses to understand how PayPal works, she usually asks me to complete her purchases. Not really a big deal except for the 10-15 days per month that I am traveling for business.

    While I believe that it provides enhanced security, accessing PayPal without it is a PITA and there does not seem to be an option for removing this feature from my PayPal account.

  15. cornish says:

    I ordered one when they first went on sale and used it once before deciding it was too big to put on my keychain (I’m holding out for a wallet-friendly form factor).

    I’ve never removed the device from my PayPal account so I’m quite familiar with the “ways to verify your account in order to regain access”. Actually, you never lose access. If you don’t have the device handy all you have to do is answer one or two additional security questions (none of which are terribly secure) and you have access to your account.

  16. cornish says:

    @tkozikow: Instead of selecting “I don’t have my PayPal Security Key. The key isn’t lost, but I don’t have it right now.” try “My PayPal Security Key is lost or broken. I would like to log in and deactivate my Security Key.” Works like a charm. Now that I confirmed how to do it I’ll have to re-add the device to my PayPal account tonight. I don’t care for the device, but I do like the extra hoops if forces you through.

  17. Lewis says:

    @cornish: Back in the day, the old school SecurID tokens (pre-RSA, I think) were credit card sized (but far thicker) – I remember that they also came with a warning that putting it in a wallet in your back pocket could be a potentially hostile environment for the card’s sensitive electronics. The keyfob form factor is a big improvement, IMO.

    The challenge though is I’m already sporting two keyfobs. Not sure why more companies don’t use the cell phone as a token – it’s a device just about everyone has, carries with the most of the time, and is a zero cost outlay on the token side. (Granted, for this to work well 1) the sub needs to have an unlimited SMS plan and/or 2) there needs to be a mechanism for the SMS fee to be picked up by whomever owns the site being logged in to.)

  18. Takkun says:

    I have one, and while I really like the slightly increased security, it still bothers me that you can still access it by answering two relatively simple security questions (like mother’s maiden name and the last four digits of your SS#).

    I hope they come up with a better system than that.

  19. kingoman says:

    Or you could just not give your account information to phishers.

  20. Trai_Dep says:

    I wonder if the same security benefits accrue if it’s in a soft (cell, iPod…) form. NOT laptop, obviously (well, perhaps with (yet another) password)… Can’t think of any negatives, although syncing your soft-fob with whatever site might require some work?

    Any security braniacs want to comment?

  21. stevemis says:

    Well, congrats to eBay for starting this program. The whole “something you have” (fob) and “something you know” (username/password) is the right way to handle financial authentication.

    Unfortunately, they seem to have screwed the pooch by substituting basic questions/answers for the fob. I think this is more of a marketing ploy with Verisign than a security measure.

    A far better approach would be to have their system place a telephone call to your phone number (already on file) and ask you to enter a special code that appears in your browser. Alternately, it could call and give you a special code (by voice) and have you enter that into the browser.

    This technique, perhaps coupled with some additional security questions, would do a decent job of authenticating you in the event the fob is lost or nonfunctional.

  22. satoru says:

    The reason keyfobs are not very popular is because they are VERY expensive. From RSA they can be about $50-$100 a pop which if you try to give them away for free to your customers can be hard to justify. Not to mention replacement costs for customers that lose them, it’ll be hard to convince them to shell out $50.

    They did have a Palm software version of the token, but I think that wouldn’t make much sense today if you ported it to the PC. As a trojan could compromise your computer and then know what the program was generating.

  23. m0unds says:

    Oddly enough, I bought one of these yesterday after a friend told me about it. It’s a good idea, considering Paypal has account information and eBay is constantly having security issues..

  24. Trai_Dep says:

    Yeah. I could see a soft-fob that works w/ portable equipment that’s not a computer. Have a wi-fi enabled doohickie that vertifies with the authority-granter in one communication stream, paired with the other communciation stream on your computer. SEEMS like it’d be secure (depending on the particulars, of course). But having two parallel, fairly secure mechanisms would seem to offer decent security.

    I wouldn’t carry a hard fob – too much junk to carry as it is. Piggyback it on my iPod or cellie, though, I’d consider it.

  25. FLConsumer says:

    Screw this — just keep your PayPal account linked to your credit card only and just do a chargeback if something happens.

  26. gkrall says:

    I’m the technical director for the PiP/SeatBelt product here at Verisign. The PiP is the OpenID provider referenced in this post and you can check it out at: [pip.verisignlabs.com.]

    The author of the post is exactly correct that once you have bound your Paypal issued token with your account at Paypal you can link it to your PiP account for OpenID requests.

    We have extended our implementation such that if you do not have your token or have lost it you can still access your account by having a pin sent to either your registered mobile phone via SMS or to your registered email address. You can use this to unbind a lost token from your account or as a temporary measure if you do not have it and don’t have to worry about carrying it with you as noted above.

  27. lonelymaytagguy says:

    Hello, this is PayPal security. We think someone has been trying to hack into your account.

    Would you please verify your password: our records show it’s MyDogSpot. Oh, it isn’t? That may be the problem, what is it now so I can fix your account? Ok, thank you.

    Now what code is showing right now on your security key? OK, that’s right.

    Please wait 24 hours before logging into your account. Have a nice day!

  28. Tankueray says:

    How do these security keys work? How does PayPal know what number is showing on the key at any given time? Are they wireless? Where do they get their random numbers? I knew a guy that had one of these for work and he logged onto his computer with it, I was fascinated. If my bank offered this I would probably get one.

  29. numindast says:

    These are two-factor security tokens. We use them where I work too, a different brand but same idea.

    The random numbers are generated on the token using a fancy mathematical algorithm. The server end knows the algorithm too, which is why it can authenticate or deny access.

    The ones we use where I work can get “out of sync” if you push the button too many times without successfully logging in (ours generate a new code every button-push). I wonder if these are the same… it takes a network administrator to resync the tokens.

  30. Chaluapman says:

    Paypal owns verisign.

  31. sydee says:

    Chaluapman: That statement appears to be in error. Per financial summary:
    “On January 31, 2007, the Company and Fox Entertainment (Fox), a subsidiary of News Corporation, and various subsidiaries of the Company and Fox, finalized two joint venture agreements to provide mobile entertainment to consumers on a global basis.”

    P.S. I got a Paypal Security Token as soon as I learned about them via the Security Now! podcast.

  32. solipsistnation says:

    Verisign used to own PayPal, but spun them off into an independent company a couple of years ago. PayPal definitely does NOT own Verisign.

    These fobs are pretty keen, although the complaints about having another thing to haul around are valid. It’s still decent 2-factor authentication.

  33. dethl says:

    I just ordered one of these. It reminds me of the old CryptoCard I had back during one of my internships for one of the major Labs. Never got to use it though….never had a reason to.

  34. djyox says:

    I’ve owned one of these from the last time consumerist.com posted up about the cool little tool.

    Don’t worry about not having the key when you need to use it, if you don’t have they key, you can also enter in your CC# bank# or one other. I just had to do that today to grab an ebay deal as I’m at work and its at home.

    Not a bad way to spend the cost of a beer at the bar + tip

    Sorry if this was already writen up above.