EBay’s PayPal service wants users to take security more seriously. The newly recruited security device is the mobile phone with SMS service. Just before making a PayPal purchase, the user pings the SMS service (by clicking a button on the site) for a fresh one-time credential. The user types in the usual username and password info and logs in. The SMS service answers the ping with a six-digit number — that is, the credential. The user types the credential into a field on the subsequent pop-up. If one’s mobile provider has a nasty habit of delaying text messages, fear not; PayPal falls back to a series of security questions if the credential doesn’t get through in time.
PayPal has made a two-factor effort before, and the new PayPal SMS Security Key is in fact closely related to the gadget-bsed PayPal Security Key, even using the same security infrastructure. The SMS functionality comes from VeriSign’s Messaging and Mobile Division, which has been working with hundreds of carriers to build a global identity-protection system.
The entire PayPal program falls under the banner of the VeriSign Identity Protection Network. VeriSign itself, which offers a variety of authentication credentials, rates its own SMS one-time password offering as a 2 (out of 4) for both ease of use and security, but gives it the very best rating for support costs and ease-of-use. (The earlier Security Key version, in contrast, rates 3 for both ease of use and security, though it’s a bit more expensive both to support and to deploy.)