If you listen to Security Now, by now you probably heard of PayPal’s Security Key. Essentially, PayPal provides RSA SecurID devices for the low fee of five dollars (PayPal loses money on the purchase; the fee ensures you will actually use the device). The Security Key provides a second layer of authentication by making PayPal logins require a one-time six-digit numeric key generated by the Security Key. By doing so, PayPal verifies the account holder, since the device needs to be physically present at log on. The Security Key is a great extra layer of protection and makes it virtually impossible for anyone take control of your account.
I love the idea of RSA SecurID devices, however there is one potential problem. As more websites start providing extra layers of protection, the number of SecurID devices increases. Imagine having to carry a SecurID for every website you log in to. Thankfully, PayPal’s Security Key eliminates this problem.
While PayPal is providing the Security Key, the key is actually a VeriSign Identity Protection (VIP) device, and PayPal is not the only company enrolled. The same key provided by PayPal works with eBay and will work with many banks in the near future. Though, the list does not end there.
VeriSign is actually an OpenID provider and allows you to link your Security Key to your OpenID. If you never heard of OpenID, OpenID is a decentralized login system similar to the glory days of Microsoft’s Passport, but is a million times better due to the decentralization. So, that opens up a world of possibilities for your Security Key. If you so choose, your Mag.nolia, Six Apart, Zooomr, Basecamp, MyMileMarker, and other OpenID accounts can all be protected with an extra layer of security. In the near future, your Digg, WordPress, AOL, and Microsoft accounts will benefit from this as well.
Essentially, a PayPal Security Key has the potential to protect your entire online identity. Anyone who regularly does business online should strongly consider picking up the device. Besides, the Security Key just looks geeky and cool. I have one, why don’t you?
13 Comments
It’s not RSA SecureID tokens. It’s VeriSign Identity Protection (VIP) tokens. If you check out the token image provided by PayPal, you will see the VeriSign logo at the bottom.
I’m aware they’re not actually SecurID tokens. If fact, they’re actually Vasco Digipass Go 3 tokens branded under the VIP name. It’s just SecurID is the easiest thing to compare them to since some people may already be carrying one.
How long do they last until they expire? We got SecureIDs at work (I imagine sooner or later I will be allowed one for remote access), but the ones we have all expire after a certain amount of time.
By expire, do you mean how often the key changes or how long the device is designed to last? The key changes every thirty seconds, so that’s high up on the security scale. As far as device longevity, the Vasco site claims the devices are designed to last five years. However, the PayPal representative on Security Now claimed they should at least last three years.
Can’t believe I said sooner or later I will get one, because today at work, my manager gave me an RSA SecurID token. On the back on the SecurID token it has an expiration date, where the device itself will cease to function. Firstly, the RSA server won’t allow it to be used, and I believe it will have ran out of numbers to be used. I am pretty sure the battery itself will last longer, however, there is an expiration date. If this is a ploy by RSA to buy more, since they are rather expensive.
I love the idea. They’re not available here in the UK yet but I do use the RSA devices at work and they seem to work flawlessly so I have no concerns about it in that regard. The extra layer of security will be welcome and multiple organisations using the same key seems like a good idea so we’re not carrying a pile of them around with us.
My only concern would be that someone owns the entire system, who owns the usage data, and things like that. It’s probably no worse than Visa with credit cards but I’d like to find out. Also does it mean that if a governmant agency wants to investigate you, all they need is to look you up in the ‘Key’ datebase, find out where you use it and ask for access? I’d definitely want to read all of the small print before I signed up!
I wouldn’t be too concerned. The VIP program only adds an extra layer of security to compliment the existing layer. If the government had your key they would still need to figure out where it’s being used. There is no central database that I’m aware of besides who’s a VIP participant.
I ordered one as soon as these things were available! I like the added layer of security. PayPal have my banking and my credit card information. I think it is nice to know it has every possible layer of security.
I wonder how it works – Shouldn’t there be a very accurate clock inside the device to make sure it stays synchronized to the host? I mean, a low-power watch crystal (which it undoubtedly uses) is at best accurate within a second a week, so after 30 weeks the clocks have drifted apart between the device and the host.
Does it synchronize itself using the 60 kHz NIST time signal transmitted by WWVB in Ft. Collins, CO?
http://tf.nist.gov/stations/wwvb.htm
And if it does, what does that mean when I take the device abroad for a longer period? (WWVB only covers the continental US)
I did not open it yet but I doubt the battery would last as long as they claim if it did if it harbors a NIST receiver – A real mystery.
Actually, no time synchronization takes place. Instead, the PayPal/VeriSign server synchronizes itself with the first number in the key. That first number relates to the time and allows the PayPal/VeriSign servers to keep track of how far the key has drifted in time. You can see this for yourself by generating keys right after each other. If the first number is 6, the next key’s first number will be 7. In the event the drift is too great, PayPal/VeriSign will just ask you to enter a few keys in a row allowing them to sync back up to the internal clock.
It’s a pretty neat system, in my own opinion.
“VeriSign is actually an OpenID provider and allows you to link your Security Key to your OpenID. ”
How/where? I created a VeriSign Personal Identity Portal account. What next?
Never mind, I found it. Just went to “My Account” and scrolled down to “Strong Authentication”.
Amusingly, the logo has worn off my key, so I can’t tell which way is up. On my first try, I typed in 686859 instead of 658989, which is the same thing, upside down.
Works after using it right side up!
Is this key work with other website? because pay pal providing it in $5 and if I take it from VeriSign it will cost me $30..if pay pal key work as VeriSign VIP then why should I spend $30 where I can get the same technology in $5…VeriSign VIP work with all the website that having VeriSign partnership..so pay pal work with other website?
5 Trackbacks/Pingbacks
[...] PayPal’s New Security Key Opens a World of Possibilities · cavemonkey50.com PayPal provides RSA SecurID devices for the low fee of five dollars. The key is actually a VeriSign Identity Protection (VIP) device. VeriSign is actually an OpenID provider and allows you to link your Security Key to your OpenID. (tags: openid security) [...]
[...] I was pleasantly surprised to I find out that this key is not just a PayPal and eBay device with a VeriSign stamp on it but it’s actually an RSA SecurID device that’s fully part of VeriSign Identity Protection. This means this key can be used for a whole number of sites especially being that VeriSign is also an OpenID provider. A bit more searching lead me to cavemonkey50.com with a list of a bunch of different OpenID opportunities that could be used with th…. [...]
[...] Info via CaveMonkey. [...]
[...] a new toy, I of course looked around for more ways to use it. This article lead me to OpenID, which might also be useful for a work project. (SAML, Shibboleth, OpenID, [...]
[...] ran across this nine-month old post at cavemonkey50.com and I’m kind of left wondering where I was when this idea made its round on the blogs. [...]