Paypal Security Key for Multi-Factor Authentication

Last updated: May 5, 2008

After listening to an episode of the Security Now Podcast I was fascinated by the idea of multi-factor authentication. In the perfect paper password episode they discussed using one time passwords that were written on a credit card sized piece of paper. Each time you log in you would have to supply both your password and a pseudo-random one time use password that is on your credit sized perfect paper password card. The next time you logged in you would have to supply the next one time password from the card. When all the passwords are used up you would print another card and start the process over.

The strength in this lies in the fact that someone listening to authentication process knowing every detail about the process would not be able to utilize a replay attack. That is, they would not be able to authenticate if they typed in your password and one time key. This is because the key is exactly how it is written, one time use.

Verisign Paypal KeyIf someone were to find your paper with one time keys they would still not be able to log in because they do not have knowledge of your password.

Although Steve Gibson from Security Now has a more secure implementation and full documentation on how to implement it, Verisign/Paypal have a similar proprietary system in place. One of the major differences in their system is they don’t use a piece of paper but rather a digital device with keys that change based on time. They are synced with the server and display a different key based on the current date and time.

With security these days and the number of vulnerabilities I was excited to find out that Paypal offers the device for only $5.00. These devices purchased directly from Verisign are $30.00 for the football shaped one and $48.00 for the credit card style. The Paypal device is the exact same for a fraction of the price and worth every penny. The best part of the whole thing is that the device can be used for all online services that use OpenID Authentication.

Let me reiterate how cool this thing is. Someone can have full knowledge of your password but still have no access without having this physical device in their hands. On the flip side if you lose the device it is meaningless without knowledge of the account’s username and password.

They only thing draw back is having to carry around the key chain size device around. They do have a credit card style device but it is $48.00. This would be much more convenient though because you can carry it in our wallet and most people carry their wallets around.

Create your own

If you are interested in creating your own one-time multi-factor authentication system using paper instead of an electronic device you can check out, perfect paper passwords. Open source applications have already been implemented. Someone has already written a PAM plugin for Linux so you can authenticate SSH sessions with this method. There is even a PHP function for creating secure web logins. The method described is even more secure than Verisign but you do have to print out paper cards every 100 or so logins.

Need to print shipping labels on your site?

Checkout my product RocketShipIt for simple easy-to-use developer tools for UPS™ FedEx™ USPS™ and more.

Get notified on new posts or other things I'm working on