My bank (ICICI) in India already does this, it's definitely a good idea.

my cousins who work in the financial industry have this - i want!

All well and good, until you lose it and have no access to your account till a new one arrives.

My girlfriend works for the gubment in Washington, DC, and has one of these. We use it as a handy even/odd random number generator when we can't decide between two options. See, it even has multiple uses!

We use these for each of our E-Trade accounts. Makes for a heavy keychain, but we feel much safer. And if they're stolen, they're useless without the other info (the stuff in your brain-- accounts and regular passwords). Just don't write THAT info on the SecurID fob.

I have one and it's wonderful. My only complaints: I wish more online services utilized this sort of security feature, and I wish they'd implement a key-generator I could load on my mobile so I don't have to carry the fob everywhere.

Old, old news. They've been doing this for some time now. I have to use one of these to use VPN for the company that I work for. Doesn't add a lot of security when most people that I work with store them with their laptop.(its too much of a pain to have to carry ANOTHER device around)

Oh, and oftentimes having this (as I don't carry it everywhere) cuts back on the impulse eBay purchases.

I Forgot how nice it looked all the logo's have wore off of mine. I have had this for over a year hanging from my key chain. It does get a little annoying to have to go get my keys to do any PayPal transaction but in the long run I know its only me accessing my account.

for paypal its somewhat useless in the sense that if you don't have it (or you're a thief) you can still logon to the account with a credit card #, checking acct # or security question answers

I've had one of these for a few months now, and it works really well.

The few times I misplaced the keytag, Paypal just asked me some extra security questions to authorize me.

If you just use the credit card only, who the F@#)(* cares, you are protecting paypal, not yourself.

I've had mine for about a year, when they started giving them out for free to people with a PayPal business account, don't know if they still do that for free though. Sometimes a hassle, but I like the extra security. The only thing I don't like is that it ties into my eBay (and therefore Half.com) accounts, so updating my sales/auction items is a little more trouble than it's worth. I'd like to see the option to choose which services you use it with.

I was an early adopter, but refuse to carry it on my keychain which means that it sits on my home office desk. Since my wife refuses to understand how PayPal works, she usually asks me to complete her purchases. Not really a big deal except for the 10-15 days per month that I am traveling for business.

While I believe that it provides enhanced security, accessing PayPal without it is a PITA and there does not seem to be an option for removing this feature from my PayPal account.

I ordered one when they first went on sale and used it once before deciding it was too big to put on my keychain (I'm holding out for a wallet-friendly form factor).

I've never removed the device from my PayPal account so I'm quite familiar with the "ways to verify your account in order to regain access". Actually, you never lose access. If you don't have the device handy all you have to do is answer one or two additional security questions (none of which are terribly secure) and you have access to your account.

@tkozikow: Instead of selecting "I don't have my PayPal Security Key. The key isn't lost, but I don't have it right now." try "My PayPal Security Key is lost or broken. I would like to log in and deactivate my Security Key." Works like a charm. Now that I confirmed how to do it I'll have to re-add the device to my PayPal account tonight. I don't care for the device, but I do like the extra hoops if forces you through.

@cornish: Back in the day, the old school SecurID tokens (pre-RSA, I think) were credit card sized (but far thicker) - I remember that they also came with a warning that putting it in a wallet in your back pocket could be a potentially hostile environment for the card's sensitive electronics. The keyfob form factor is a big improvement, IMO.

The challenge though is I'm already sporting two keyfobs. Not sure why more companies don't use the cell phone as a token - it's a device just about everyone has, carries with the most of the time, and is a zero cost outlay on the token side. (Granted, for this to work well 1) the sub needs to have an unlimited SMS plan and/or 2) there needs to be a mechanism for the SMS fee to be picked up by whomever owns the site being logged in to.)

I have one, and while I really like the slightly increased security, it still bothers me that you can still access it by answering two relatively simple security questions (like mother's maiden name and the last four digits of your SS#).

I hope they come up with a better system than that.

Or you could just not give your account information to phishers.

I wonder if the same security benefits accrue if it's in a soft (cell, iPod...) form. NOT laptop, obviously (well, perhaps with (yet another) password)... Can't think of any negatives, although syncing your soft-fob with whatever site might require some work?

Any security braniacs want to comment?

Well, congrats to eBay for starting this program. The whole "something you have" (fob) and "something you know" (username/password) is the right way to handle financial authentication.

Unfortunately, they seem to have screwed the pooch by substituting basic questions/answers for the fob. I think this is more of a marketing ploy with Verisign than a security measure.

A far better approach would be to have their system place a telephone call to your phone number (already on file) and ask you to enter a special code that appears in your browser. Alternately, it could call and give you a special code (by voice) and have you enter that into the browser.

This technique, perhaps coupled with some additional security questions, would do a decent job of authenticating you in the event the fob is lost or nonfunctional.

The reason keyfobs are not very popular is because they are VERY expensive. From RSA they can be about $50-$100 a pop which if you try to give them away for free to your customers can be hard to justify. Not to mention replacement costs for customers that lose them, it'll be hard to convince them to shell out $50.

They did have a Palm software version of the token, but I think that wouldn't make much sense today if you ported it to the PC. As a trojan could compromise your computer and then know what the program was generating.

Oddly enough, I bought one of these yesterday after a friend told me about it. It's a good idea, considering Paypal has account information and eBay is constantly having security issues..

Yeah. I could see a soft-fob that works w/ portable equipment that's not a computer. Have a wi-fi enabled doohickie that vertifies with the authority-granter in one communication stream, paired with the other communciation stream on your computer. SEEMS like it'd be secure (depending on the particulars, of course). But having two parallel, fairly secure mechanisms would seem to offer decent security.

I wouldn't carry a hard fob - too much junk to carry as it is. Piggyback it on my iPod or cellie, though, I'd consider it.

Screw this -- just keep your PayPal account linked to your credit card only and just do a chargeback if something happens.

I'm the technical director for the PiP/SeatBelt product here at Verisign. The PiP is the OpenID provider referenced in this post and you can check it out at: [pip.verisignlabs.com.]

The author of the post is exactly correct that once you have bound your Paypal issued token with your account at Paypal you can link it to your PiP account for OpenID requests.

We have extended our implementation such that if you do not have your token or have lost it you can still access your account by having a pin sent to either your registered mobile phone via SMS or to your registered email address. You can use this to unbind a lost token from your account or as a temporary measure if you do not have it and don't have to worry about carrying it with you as noted above.

Hello, this is PayPal security. We think someone has been trying to hack into your account.

Would you please verify your password: our records show it's MyDogSpot. Oh, it isn't? That may be the problem, what is it now so I can fix your account? Ok, thank you.

Now what code is showing right now on your security key? OK, that's right.

Please wait 24 hours before logging into your account. Have a nice day!

How do these security keys work? How does PayPal know what number is showing on the key at any given time? Are they wireless? Where do they get their random numbers? I knew a guy that had one of these for work and he logged onto his computer with it, I was fascinated. If my bank offered this I would probably get one.

These are two-factor security tokens. We use them where I work too, a different brand but same idea.

The random numbers are generated on the token using a fancy mathematical algorithm. The server end knows the algorithm too, which is why it can authenticate or deny access.

The ones we use where I work can get "out of sync" if you push the button too many times without successfully logging in (ours generate a new code every button-push). I wonder if these are the same... it takes a network administrator to resync the tokens.

Paypal owns verisign.

Chaluapman: That statement appears to be in error. Per financial summary:
"On January 31, 2007, the Company and Fox Entertainment (Fox), a subsidiary of News Corporation, and various subsidiaries of the Company and Fox, finalized two joint venture agreements to provide mobile entertainment to consumers on a global basis."

P.S. I got a Paypal Security Token as soon as I learned about them via the Security Now! podcast.

Verisign used to own PayPal, but spun them off into an independent company a couple of years ago. PayPal definitely does NOT own Verisign.

These fobs are pretty keen, although the complaints about having another thing to haul around are valid. It's still decent 2-factor authentication.

I just ordered one of these. It reminds me of the old CryptoCard I had back during one of my internships for one of the major Labs. Never got to use it though....never had a reason to.