I’ve been a huge proponent of two-factor (something you know and something you have/are) authentication for several years now. I understand that nothing is 100% secure, but I haven’t seen anything better come along.
I’d like to see more services provide this type of authentication option. PayPal has a feature called Security Key that allows you to add two-factor authentication to your PayPal account. LogMeIn has a similar implementation for even their free version of the service. They allow one-time passwords as well as the use of SecurID cards.
I’ve used PayPal’s Security Key with some success. I only have two concerns with it:
- It allows the user to bypass the security key for times when you don’t have your second factor available or the service isn’t working;
- The service isn’t 100% reliable (at least not the cell phone key).
I applaud PayPal for introducing additional security to their service. A system as important and valuable as PayPal needs to be a leader in online security.
Unfortunately, when it allows the user to bypass the security key, it effectively voids the two-factor component and just asks the user for one or more things he already knows, thereby making the first factor a little more complicated and the second factor unnecessary. The reason they do it is because the service isn’t 100% reliable.
Even so, I’d like PayPal to allow the user to decide whether they want the system to allow an override of the second factor. In this way, I can force all authentication to go through my security mechanism and, if it isn’t available or not working, I’ll just have to wait until it is. I think that is a reasonable compromise.