Two-Factor Part II – OpenID, VeriSign PIP and PhoneFactor

As you may already know, I am a huge believer in two-factor authentication.  You should keep in mind that two-factor authentication is not the absolute answer to Internet security problems.  It is critical that you keep your computer patched with current antivirus software and that you browse and use email with care.

I won’t get too much into the technology other than to say it involves using two of the three factors:  a) something you know,  b) something you have, and c) something you are. The majority of Internet two-factor authentication implementations use the first two factors, since determining something you are (such as a fingerprint or retinal image) involves considerably more logistics than is reasonable for a remote service.  The something you know portion of the system is trivial and widely accepted as username/password combinations.  Of course, password complexity is extremely important and will be the topic of a future post. That leaves us with something you have as the simplest and most common second factor.

It is worth noting that a second username/password combination can never be considered a second factor.  Theoretically, an infinite number of passwords is still part of something you know.  The primary reason that this is important is malware, particularly key-logging software.  This is the reason I am disappointed in PayPal’s two-factor implementation, as described in my previous post on the subject.  If you do implement two-factor authentication with PayPal, you should make sure you never bypass it or you risk exposing your account.

Continue reading

PayPal and two-factor authentication

I’ve been a huge proponent of two-factor (something you know and something you have/are) authentication for several years now.  I understand that nothing is 100% secure, but I haven’t seen anything better come along. 

I’d like to see more services provide this type of authentication option.  PayPal has a feature called Security Key that allows you to add two-factor authentication to your PayPal account.  LogMeIn has a similar implementation for even their free version of the service.  They allow one-time passwords as well as the use of SecurID cards.

I’ve used PayPal’s Security Key with some success.  I only have two concerns with it:

  1. It allows the user to bypass the security key for times when you don’t have your second factor available or the service isn’t working;
  2. The service isn’t 100% reliable (at least not the cell phone key).

I applaud PayPal for introducing additional security to their service. A system as important and valuable as PayPal needs to be a leader in online security. 

Unfortunately, when it allows the user to bypass the security key, it effectively voids the two-factor component and just asks the user for one or more things he already knows, thereby making the first factor a little more complicated and the second factor unnecessary.  The reason they do it is because the service isn’t 100% reliable. 

Even so, I’d like PayPal to allow the user to decide whether they want the system to allow an override of the second factor.  In this way, I can force all authentication to go through my security mechanism and, if it isn’t available or not working, I’ll just have to wait until it is.  I think that is a reasonable compromise.