Two factor authentication and PayPal

Has PayPal’s introduction of a security token improved security (read the news item) and is this a lead to be following?

Personally I believe that it is a positive move in the right direction. There’s no doubt that two-factor authentication mitigates some risk of an account compromise. There are those who will highlight the deficiencies of this approach – for instance Bruce Schneier is rather scathing of 2FA in a blog entry he made a while ago where he makes the comment that “two-factor authentication doesn’t solve anything”.

It depends what problem you are trying to solve. If the problem is a perception that the business is not doing enough to prevent accounts being compromised then from a consumer perspective issuing tokens is a solution. And as mentioned on the Washington Post SecurityFix blog “other companies that have widely deployed similar security keys have dramatically cut down on fraud” and that one business has “never had an account takeover connected to a customer using one of its security keys.”

The main disadvantages of 2FA are firstly the administrative overhead of managing the tokens which are easy to lose and sometimes break (as I recently discovered), and secondly if I were a PayPal customer, traded stock using eTrade and banked with Citibank then I would currently have four different tokens in my pocket (including the one I use for my corporate network). That is ridiculous and not only because of the effect it will have on my trouser pockets. I don’t want to carry all those tokens and the one I need will always be the one that I’ve left in my other suit that is at the cleaners.

A much better solution, in my opinion, is described here on the Digital Identity Forum. In this blog entry, Dave Birch states

I would much prefer the “white token” solution, as we used to discuss in the early days of multi-application smart cards, where the customer takes responsibility for stronger authentication and goes and buys (let says) an OATH-compliant USB key which they then register with their bank, their retailers, their MMORGS, their social networks and so forth.

Dave goes on to say

2FA is a first step, but it is not the foundation of sustainable digital identity in this form. We have to move to end-to-end security. PKI in smart cards, for example

So, while 2FA is imperfect, and we can acknowledge that it can be attacked, it does mitigate risk – more so if utilised in association with other anti-fraud measures. But at the same time we can see the limitations and there is the technology available for an alternate world where the consumers manages their own security. Perhaps the recent Microsoft team-up with OpenID (discussed here) teamed up with lesser publicized MS acquisitions such as the one of “a public-key identity management developer” (see this eWeek article from September 2005) might open up possibilities.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Incorporating some type of Two Factor Authentication into their business model is both a natural and a smart move for the company. It’s also a matter of time before the majority of the business world adopts such technology in one form or another. While it’s not the be all and end all to security it’s the best out there.
I’m not surprised by this move. Though like all technologies two">>two factor authentication has had its growing pains, it’s the best in security right now and with biometrics on the rise it’s only going to gain a stronger foothold in business. PayPal made a smart decision when they decided to implement TFA.