Two factor authentication and PayPal

Has PayPal’s introduction of a security token improved security (read the news item) and is this a lead to be following?

Personally I believe that it is a positive move in the right direction. There’s no doubt that two-factor authentication mitigates some risk of an account compromise. There are those who will highlight the deficiencies of this approach – for instance Bruce Schneier is rather scathing of 2FA in a blog entry he made a while ago where he makes the comment that “two-factor authentication doesn’t solve anything”.

It depends what problem you are trying to solve. If the problem is a perception that the business is not doing enough to prevent accounts being compromised then from a consumer perspective issuing tokens is a solution. And as mentioned on the Washington Post SecurityFix blog “other companies that have widely deployed similar security keys have dramatically cut down on fraud” and that one business has “never had an account takeover connected to a customer using one of its security keys.”

The main disadvantages of 2FA are firstly the administrative overhead of managing the tokens which are easy to lose and sometimes break (as I recently discovered), and secondly if I were a PayPal customer, traded stock using eTrade and banked with Citibank then I would currently have four different tokens in my pocket (including the one I use for my corporate network). That is ridiculous and not only because of the effect it will have on my trouser pockets. I don’t want to carry all those tokens and the one I need will always be the one that I’ve left in my other suit that is at the cleaners.

A much better solution, in my opinion, is described here on the Digital Identity Forum. In this blog entry, Dave Birch states

I would much prefer the “white token” solution, as we used to discuss in the early days of multi-application smart cards, where the customer takes responsibility for stronger authentication and goes and buys (let says) an OATH-compliant USB key which they then register with their bank, their retailers, their MMORGS, their social networks and so forth.

Dave goes on to say

2FA is a first step, but it is not the foundation of sustainable digital identity in this form. We have to move to end-to-end security. PKI in smart cards, for example

So, while 2FA is imperfect, and we can acknowledge that it can be attacked, it does mitigate risk – more so if utilised in association with other anti-fraud measures. But at the same time we can see the limitations and there is the technology available for an alternate world where the consumers manages their own security. Perhaps the recent Microsoft team-up with OpenID (discussed here) teamed up with lesser publicized MS acquisitions such as the one of “a public-key identity management developer” (see this eWeek article from September 2005) might open up possibilities.