PayPal Security Key: Two-factor authentication for $5

Security Strategies This newsletter is sponsored by CREDANT Technologies, Inc. Data-at-Rest: Encrypt It, but Prove It Be aware of all mobile devices accessing your data, encrypt them and audit for compliance. It's about more than just encrypting bits on disks--a solution must accommodate workforce dynamics (all devices, users and locations) and easily enforce security rules with no compromise to user experience. Learn four essentials. Network World's Security Strategies Newsletter, 07/10/07 PayPal Security Key: Two-factor authentication for $5 By M. E. Kabay My friend, colleague and former graduate student Carl Ness recently wrote to me excitedly, “It's about time this reached the consumer... I got mine yesterday, and I must say, it works really well. Now if my bank would just get a clue...” That Web page reveals that PayPal has (finally) announced cheap, effective two-factor authentication for the masses. For an affordable $5 fee, PayPal will send anyone a pseudo-random password-generating device that creates a six-digit security code tied to the device's serial number every 30 seconds. That means that if there are no repeats in the sequence, it could take up to 11.6 days to hit the same security code by chance. If logon sequences are programmed with a reasonable delay to prevent multiple attempts without a timeout after, say, three errors, then assuming even a measly one-minute delay before being able to continue trying security codes, it would take on average about 116 days (keyspace 1e6 codes / 3 = 3.33e5 triplets = 3.33e5 minutes = 5.55e3 hours = 2.31e2 days = 1.16e2 by the Central Limit Theorem). Get Everyone from the CEO to the MySpace Generation to Support Your Security Plans. September 10-11, 2007 | The Fairmont Chicago How do you get everyone from the boardroom to the mailroom to comply with your security initiatives? Come collaborate with peers on critical business topics like this at The Security Standard-the only business summit for senior security executives. For the latest in planning and management strategies. Click here for more details. Click here for more details In other words, if properly implemented, this device will be significantly difficult to bypass. Randomizer tokens offer tremendous improvements to authentication, especially for Web-based commerce. They make man-in-the-middle attacks far more difficult than password-only authentication, and they greatly reduce the effect of stolen or compromised passwords. Users are accustomed to carrying security devices of a similar size: electronic keys for cars. Adding another to their key fob will be no problem. Even if the device is lost, it’s useless without the user ID and password. My hope is that many other businesses will piggyback onto the PayPal initiative. Like my correspondent Carl, I would be delighted to learn other organizations were adopting the system immediately; I must send this article to my bank, my credit-card company, my book club, my CD club, my DVD club, my phone company, my insurance company, etc., etc.   What do you think? Post a comment on this newsletter

TODAY'S MOST-READ STORIES: 1. The mainframe lives! 2. Microsoft to release six security updates 3. Six burning VoIP questions 4. Talking Trojan says 'bye-bye' to victims' data 5. Beijing scores No. 1 spot for malware 6. 15 great, free security programs 7. The $2.3M home lab of Quadruple CCIE 8. Is securing your network worth the money? 9. iPhone launches and AT&T EDGE goes down 10. Security company launches eBay for bugs MOST READ REVIEW: Using Microsoft's OCS as a unified messaging platform

Contact the author: M. E. Kabay, Ph.D., CISSP-ISSMP, is Associate Professor of Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site. This newsletter is sponsored by CREDANT Technologies, Inc. Data-at-Rest: Encrypt It, but Prove It Be aware of all mobile devices accessing your data, encrypt them and audit for compliance. It's about more than just encrypting bits on disks--a solution must accommodate workforce dynamics (all devices, users and locations) and easily enforce security rules with no compromise to user experience. Learn four essentials. ARCHIVE Archive of the Security Strategies Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007