RealTime IT News

PayPal Rings Up Two-Factor Security

PayPal customers can now use their cell phones to authenticate their transactions through a new service that lets customers use SMS messaging to get a randomly-generated access code to log into their accounts.

The service, called the PayPal SMS Security Key, is an extension of PayPal's current Security Key service, which uses a hardware token. However, unlike the current service, which charges customers $5 for the token, the new service is free. Customers will have to pay their carriers' charges for SMS services, though.

PayPal and its parent company, eBay, were the first sites to sign on for VeriSign's (NASDAQ: VRSN) Identity Protection (VIP) two-factor authentication service when that was launched at the 2006 RSA Conference.

Two-factor authentication is where something the users know and something the users have, such as a hardware token, are both required to log in. Both PayPal and eBay are members of VeriSign's VIP Network, which has about 30 members. Anyone who is a customer of one member of the network can use the same authentication key to log in at the other members' Web sites, Jeff Burstein, senior product manager at Verisign, told InternetNews.com.

The services use an algorithm stored on VeriSign's servers to generate a unique six-digit security code every 30 seconds. Mobile phone users have to register their devices with VeriSign before they can use the PayPal SMS Security Key, Burstein said.

Customers using their mobile phones for authentication will have to re-register their new phones if their current ones are lost or stolen. In the meantime, they will be able to access their accounts by answering secret questions that they have set up to establish proof of their identity.

Been there, done something like that

The use of a phone in two-factor authentication is not new. Positive Networks offered a solution in June which used the public telephone network as one of the two factors for authentication.

Both the PayPal Security Key token and the PayPal SMS Security Key service are available in the U.S., Australia, Austria, Canada and Germany. A VeriSign spokesperson said the service would be extended to the U.K. soon.

PayPal had not responded to requests for comment by press time.