The Paypal/Ebay Security Key

Late last week, I received a very cool little piece of technology in the mail. It’s the Paypal/Ebay security key, and if you use either of those two sites on a regular basis, I highly recommend that you pick one up for yourself too. It’s $5 well spent.

So, here’s what it does. Once you get your key in the mail, you log into your Paypal and Ebay accounts to tie the key to each. From that point on, your regular username and password won’t be enough when you try to login. Instead, you type them in, then hit the button on the front of your security key. The display on your key will then show a one-time, six-digit passkey that you append to your regular password when logging in. The key generates a new passkey every 30 seconds, and I believe you have an addition 30 seconds to login before the number expires completely, requiring you to generate a new one. For a really good background on this technology, I recommend listening to a recent episode of Security Now on the subject.

This all may sound like a hassle, and to some extent it is. But, the security benefits of using this type of security key out way the inconvenience by a wide margin. The scary fact is, the traditional username/password model of website security is broken. People don’t pick good passwords, some websites have poorly implemented authentication systems that are easy to break or bypass, and it’s extremely easy to either steal this information from someone or even convince them to give it to you. This is especially worrisome when dealing with financial websites.

Two-factor authentication like this, combining “something you know” (username and password) with “something you have” (security key), isn’t unbreakable, but it’s many times more secure than just using a login and password. That’s why a similar model works so well when you use an ATM – both your card and your PIN are required to complete a transaction instead of just one or the other.

Online, Paypal and Ebay are by far the biggest targets of phishing attempts, accounting for an amazing 62 percent of attacks in 2005. Adding a security key to your account doesn’t remove the phishing threat completely, but goes a long way toward reducing it. A phisher could have both your username and password, but they would be useless without the security key. It would be a different story if they had access to that too, but of course all bets are off when someone has physical access to anything.

The one really interesting thing I learned from that Security Now episode I mentioned above is that these security keys aren’t limited to just being used at Paypal and Ebay. Verisign, the creator of the encryption technology used inside the keys, has created a program called VeriSign Identity Protection (VIP) that allows financial institutions and other business to use the same security key when logging in to their sites. This would be a huge boom for banks online, and I’m hoping they’ll jump at the chance to participate in this program.

The obvious direction for this technology is to bypass the physical security key altogether and use something else almost everyone already has with them all the time – a mobile phone. It would seem pretty easy to create a phone application that provides the same passkey generation functionality, but without the worry of losing or breaking a plastic key. I hope this happens sooner, rather than later.

Just to reiterate, this security key technology is really impressive stuff that until now, has only been available to big corporations with lots of money. It’s really in everyone’s best interest to take advantage of this offer ($5 is a great deal for a key like this), so I hope you do.