PayPal takes another crack at tightening security

EBay's PayPal service wants users to take security more seriously. To that end, it's combining an old security concept with a device most of us don't associate with security at all. Has PayPal chosen wisely?

The newly recruited security device is the humble mobile phone -- assuming it has SMS service. The old concept is a one-time credential, re-generated every few seconds or minutes and valid for just one use, used in conjunction with one's "other," more permanent password and one's username. The combination of something you know and something you have -- since you "have" the second number, though it'll only be useful for a moment -- is in turn a form of two-factor (or "strong") authentication.

The idea is that just before making a PayPal purchase, the user pings the SMS service (by clicking a button on the site) for a fresh one-time credential. The user types in the usual username and password info and logs in. The SMS service answers the ping with a six-digit number -- that is, the credential. The user types the credential into a field on the subsequent pop-up. If one's mobile provider has a nasty habit of delaying text messages, fear not; PayPal falls back to a series of security questions if the credential doesn't get through in time.

PayPal has made a two-factor effort before, and the new PayPal SMS Security Key is in fact closely related to the gadget-bsed PayPal Security Key, even using the same security infrastructure. The SMS functionality comes from VeriSign's Messaging and Mobile Division, which has been working with hundreds of carriers to build a global identity-protection system.

The entire PayPal program falls under the banner of the VeriSign Identity Protection Network. VeriSign itself, which offers a variety of authentication credentials, rates its own SMS one-time password offering as a 2 (out of 4) for both ease of use and security, but gives it the very best rating for support costs and ease-of-use. (The earlier Security Key version, in contrast, rates 3 for both ease of use and security, though it's a bit more expensive both to support and to deploy.)

PayPal has no plans to discontinue the $5 hardware Security Key, but the SMS version is free (aside from any charges levied by your mobile carrier). Like the Key, the SMS service will work not only on PayPal but on the eBay mothership. The service is available immediately for the US, Australia, Austria, Canada, and Germany.