Multi-factor authentication
PayPal users will probably know this already but for some time now it has been possible to double-lock your PayPal account with an SMS Security Key, meaning that as well as having to give your email address and password to sign in you also have to type in a random 6-digit code sent to your mobile phone via SMS. This combination of something you know (your password) and something you have (your mobile phone) is intended to increase the security of the service.
I was initially rather sceptical that this would work, being under the impression that SMS is inherently unreliable, but it actually seems fine. OK, I'm not the world's biggest PayPal user - I probably sign in once a week at most - but, so far, I've not suffered lock-out because the SMS message with my 6-digit code in it didn't arrive quickly enough.
I'm surprised that more banks don't offer this feature for their online banking? (Actually, I don't use that many banks! But I can say that mine doesn't.)
I also noticed today that Amazon Web Services offer a similar multi-factor feature (which I think is reasonably recent), but using dedicated hardware rather than your mobile phone and SMS.
Finally, I note that MyOpenID.com offer CallVerifID, which will call your mobile when you try and sign in - though it is not currently available in the UK (because of the call costs).
All of which is largely anecdotal - I assume there are plently of other examples I could/should have cited, these just happen to be the ones I've noticed/used - but it strikes me that the use of the mobile phone as a second authentication device has some significant advantages (for the user at least) over a dedicated device. As Will McInnes noted at FOTE last week, we all keep our mobiles close to us pretty much all the time now anyway.
PayPal also allows you to use a VeriSign VIP (VeriSign Identity Protection) device with your account. What is noteworthy about VIP is that Verisign makes a mobile device application for Blackberry's and iPhones which makes your phone a VIP device.
https://idprotect.verisign.com/learnmoretoken.v
https://idprotect.verisign.com/orderstart.v#
The problem with multi-factor authentication is that everyone wants to give you or sell you a FOB for their service. I currently have one for work, two for banks, one for Amazon, and one for PayPal. Eventhough all these FOB's are based on a standard, nobody is allowing you to associate your seed key identifier with your profile. If they did, then I would only need Verisign's mobile device VIP application instead of carrying around 5 FOB's.
People should be concerned about using SMS as FOB type device like PayPal and other organizations allow. The six digit number has to traverse the Internet to get to your phone carrier who forwards it, via SMS, to your phone. It works, but I suspect it is vulnerable to a man-in-the-middle attack. However, it happens so quickly and the number is only valid for a very short period of time that it is unlikely to be compromised...
Posted by: Andrew Houghton | October 08, 2009 at 07:07 PM
"I'm surprised that more banks don't offer this feature for their online banking? "
Barclays have done for some time (though using debit card and PIN not SMS as the out-of-bandwidth factor). See http://www.out-law.com/page-7182
Posted by: Phil Barker | October 09, 2009 at 09:33 AM
Thanks for the updates... looking at it now, I'm not 100% why I even blogged this. I thought it was going to go somewhere in terms of OpenID or SAML identity providers and whether replying parties and identity providers could negotiate with each other around whether multi-factor authentication is required/has been used. I guess this is possible in SAML and, looking at the PAPE specification (http://bit.ly/ARC0b), it looks like it can also be done around OpenID (albeit in the absence of any proper trust model other than hand-crafted white-lists). I think I ran out of steam before my thinking got even this far though! :-)
Posted by: Andy Powell | October 09, 2009 at 01:47 PM
As Andrew correctly points out, VeriSign (I work for them btw) does offer a mobile token application that now runs on any device that supports J2ME (which is the lion's share of them). I prefer it to hard tokens since there's nothing extra to carry, and to SMS because it doesn't require phone reception to use -- though both tokens and SMS are definitely worth being able to use the authentication.
Also re: multiple FOBs. It sounds like you've already tried, but VeriSign's token actually works across a fairly sizable network of banks (yeah, a handful of banks do offer 2FA) and other institutions. I do agree it would be great if the same seed key worked everywhere, though (then again, the network is steadily growing).
Posted by: Joseph A'Deo | October 12, 2009 at 08:49 PM