Cloud ComputingTech NotesTips

PayPal and two-factor authentication

By 2009-08-07One Comment

I’ve been a huge proponent of two-factor (something you know and something you have/are) authentication for several years now.  I understand that nothing is 100% secure, but I haven’t seen anything better come along. 

I’d like to see more services provide this type of authentication option.  PayPal has a feature called Security Key that allows you to add two-factor authentication to your PayPal account.  LogMeIn has a similar implementation for even their free version of the service.  They allow one-time passwords as well as the use of SecurID cards.

I’ve used PayPal’s Security Key with some success.  I only have two concerns with it:

  1. It allows the user to bypass the security key for times when you don’t have your second factor available or the service isn’t working;
  2. The service isn’t 100% reliable (at least not the cell phone key).

I applaud PayPal for introducing additional security to their service. A system as important and valuable as PayPal needs to be a leader in online security. 

Unfortunately, when it allows the user to bypass the security key, it effectively voids the two-factor component and just asks the user for one or more things he already knows, thereby making the first factor a little more complicated and the second factor unnecessary.  The reason they do it is because the service isn’t 100% reliable. 

Even so, I’d like PayPal to allow the user to decide whether they want the system to allow an override of the second factor.  In this way, I can force all authentication to go through my security mechanism and, if it isn’t available or not working, I’ll just have to wait until it is.  I think that is a reasonable compromise.

One Comment

  • Jill Browne says:

    Thanks for this tip on PayPal security. I didn’t know I could get a higher level of security on PayPal, so now I’ll go have a look. Heaven knows, I get a lot of spam wanting me to give out my PayPal details. It’s a real magnet for hackers.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.