I don't understand what this is for. Can I give away a "keyfob" as a gift or what? Should I avoid this or what?
Like many people in this world and concerning many things, do not get mad at me for not knowing what this is.

This is cool, but I'm worried about what happens on those rare occasions when I'm not near my iPhone. Or, more realistically, when the battery is dead.

Is there some longer confirmation process that I can use to log in anyway? Or am I SOL?

@juddcarlos2003:
It's a security tool. In addition to your Username and password, you would also enter the code on the keyfob. It generates new codes every minute or so, making it nearly impossible for someone to misuse your identity.

If all the credit card companies would require something like this, Identity theft would come to a screeching halt.

@pjorg: If you just don't have it with you at the moment, you'll have to go through a verification process to authorize that you're the owner of the account.

If you've lost it, you'll have to verify you're the account owner and then disable the security key from your account.

This comes in handy if you don't have a robust text messaging plan on your cell phone. If you do have a good text plan, PayPal/eBay can send you a text with a six-digit code every time you want to login...this is equivalent to the iPhone app and can be a faster option.

For me, I use this on PayPal, but not eBay, because I probably login to eBay 5 times more than PayPal, and it's not worth the hassle of pulling a code every one of those times.

@tvmitch: If you'd rather go this route, click the middle option in step 4 above. (The one I marked with "not this one!") There you'll enter your cellphone number and be sent a text message that authorizes your phone with your account, and then the rest is as tvmitch describes.

It doesn't make it hard for someone to break into your account.

It makes it hard for people without physical access to your stuff, to break in.

Improved Paypal security is great!!!!
Unless of course Paypal is the one stealing your money.

My wife uses this sort of thing to access patient records from home. Due to health records privacy laws (HIPA...the reason we have to fill a new form at the doctor/dentist yearly).

Seems to me that this would not be a secure as the keyfob. The keyfob has no radio and can not be hacked. It has to be in your physical possesion.

Also, would it not be possible to figure out what parameters the software is gathering from the phone and plug these into a program running elsewhere? Again, not possible with the fob since it using a code associated with that chip.

I know World of Warcraft has the same thing for account security. The problem is, the Blizzard Authenticators which are selling for $6.50 in the Blizzard store are sold out and going for over $40 on eBay. [www.blizzard.com]

My question is, will an application be made for WoW just like this so everyone can have the same level of security?

Authenticator FAQ [us.blizzard.com]

Ha. People don't need your password to scam you through PayPal and eBay.

Doesn't this just make using the iPhone version of eBay and Paypal harder to use? Meaning, once you get the code you have to race to log into the iPhone app before your 30 seconds are up...

At least with the keyfob you can be looking at both at the same time...

There is also an iPhone authenticator for Blizzard's Battle.net login, so you can get an authenticator for WoW without having to wait until the key fobs are in stock.

@LeJerk: Heh, should have read the thread before posting my comment. Yep, Blizzard has an iPhone authenticator app, and it's free.

I was thinking a version for regular cell phones. The PayPal site has one, but the Battle.Net one is "Coming Soon" for the U.S.A.

@JGBrock: This would assume however that the person trying to hack into your PayPal/eBay account was also trying to hack into your iPhone at the same exact time. This would require the hacker to know that you had an iPhone and to be in close enough proximity to your phone so that he could somehow intercept any data that is being transmitted.

It may not be as foolproof or as secure as the fob, but it will stop probably 99.99% of the hackers, and the remaining 0.01% would need to have so many things going right for them that it is highly unlikely that they would be able to gain access.

Security and PayPal in the same sentence is an oxymoron.

Now I understand. I wish my credit card companies would apply this. Esp social and email accounts such as gmail. Of course, with having the option to turn it off and on. Because I'm paranoid of step mom intruding half way accross the country. The kind of step mom that doesn't exist to you anymore.

...the big problem with this is that you're still dealing with the eBay/PayPal hellhole of eternal suffering. There is not the slightest bit of trustworthiness in that infernal conflagration of a corporation.

They have it out for the Blackberry too. I just tried to add myself- Tmobile isn't supported. WTF? Why is the app carrier dependent? How does my carrier affect how my device operates? It doesn't. And no, it isn't the network, ATT IS supported. VeriSign = stupid. :)

@Geoff Evans: I don't think this was designed for mobile sites.

The security claims for these devices are a little bit overblown. It is important that users be confident they are typing their details into the intended site and note a site that merely looks like it.

It is true that confirming who you are is now based on two factors: what you know (your password) and what you have (your keyfob). However, such systems are still open to attack by sufficiently clever and motivated attackers.

The general attack is called man-in-the-middle (please forgive the non-PCness for the alliteration). By tricking a user to go to the attacker's site the attacker can take the user's password and keyfob password, send it to the real E-Bay and then send the results back to the user.

This is why it pays to check for the little golden key at the bottom of your browser screen.

If you use the facebook iphone app it tells you to enter the keyfob code to the end of your password.

and it works

so will paypal not work on yodlee/mint/etc if you use this?

@Blueskylaw:

Too True.
Forget Paypal and Ebay!

@Geoff Evans:
Good question, I tried that right away. Basically, the PayPal and eBay apps tell you to add the security key to the end of your password. It's not too hard: you open the VIP app, then you've got some time to switch to the other app and log in.

@icantreplyright: Boo. No wonder I'm not getting a text message to sent to my iPhone unlocked for T-Mobile.

@derelk: Okay, I lied. It doesn't seem that bad in principle, except that login fails every single time. I'm starting to think the iPhone apps aren't working with the security key at all.

@derelk: Okay, sorry, I lied again. I'm just an idiot.

It does work. And it's also worth noting that somehow, when you open the VIP app, it always gives you 30 seconds. So each time you have 30 seconds to remember the number, exit, open your eBay/PayPal app, and log in. Not too bad.

@pjorg: Specifically, the verification for PayPal will ask you for either the CC number associated with the account, the number of your PayPal debit card, if you have one, or the number of the bank account linked to your PayPal account. You choose which one to put in.

@dchoe: In PayPal, you can set up additional sub-users for an account and assign them specific privileges. I made a Mint subuser and gave it only "View Balance" privileges. Then, I use that subuser to link my PayPal to Mint / Yodlee.

@LeJerk: that's some real FAIL when people are that concerned with their WoW account security

@balls187: The physical access to your Verisign token is useless without your password, and your password is useless without your Verisign token. Someone having physical access to your stuff and brute forcing or guessing your (of course already strong) password is highly unlikely.

@humphrmi: Whoops meant to end the {b} after "and".

@Geoff Evans: Perhaps it will be easier with copy and paste and iPhone 3.0

@gStein: Word up.

@pjorg: For that matter, how do you log onto Pay Pal from your iPhone? 30 seconds seems like a small window for a system that doesn't support multitasking.

@YouDidWhatNow?: Yeah man fight the power! Corporations bad! Communes GOOD!! YEAH!!

What if you REFUSE to use PayPal? As in, I will no longer shop on EBay if it means I HAVE to use PayPal?

PayPal is not a bank, and it's not a credit card company. It does not have to follow any of the established US Banking rules & regs. They are a totally fly-by-night company that exists for one reason, to get their hands on your money.

@humphrmi: A couple things:

one, passwords are inherantly a weak form of protection, hence the need for a token.

Second, your token is only as good as it's protection. There are two attacks that tokens are vulnerable too:
one is generating the token (the OATH algorithm used is well documented)

and the other is stealing the token.

Neither of these two protections will protect you against man in the middle or phishing attacks.

@humphrmi: I can create a fake login site, and all I would need to do is to dupe you into entering your token and password, and I could then login in your stead.