eBay now recommends mobile over token-based two-factor authentication -- should you switch?
Two factor authentication strikes the right balance between convenience and security, which is why so many services offer it nowadays. But its implementation differs. Many companies have SMS or app-based systems, others prefer tokens, and some offer both as an option.
eBay falls in the third category, allowing users to receive the security code for the second authentication stage via SMS or a token. However, the company is now recommending users switch to the former method, touting its convenience as the main reason to abandon the token. But, should you take the advice?
SMS-based authentication is, indeed, more convenient. Most people have their phone on them, which makes it easy to get the security code when they want to log in. Trouble is, SMS is not a secure medium through which to deliver sensitive information like that. Someone can intercept those messages and gain access to one's account, assuming they know the password.
Tokens, on the other hand, are more reliable and secure. You can get your security code even in an area without cellular coverage and, because the code is generated on the device, it's pretty much impossible for someone to see it, unless they have physical access to the token.
But, and this is a pet peeve of mine, you have to carry the thing with you wherever you go. I know that some people have no problem with that, but personally I find that the hassle outweighs the benefits. And if you forget it then you probably will not be able to access your account.
We were tipped about eBay's advice by a reader, who shared with us the email the company has been sending a week ago. I reached out to eBay shortly after to get a comment that would explain the reasons behind this decision, but haven't heard back.
Brian Krebs, from KrebsOnSecurity, had better luck. Here's what eBay had to say:
As a company, eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. Our product team is constantly working on establishing new short-term and long-term, eBay-owned factors to address our customer’s security needs. To that end, we’ve launched SMS-based 2FA as a convenient 2FA option for eBay customers who already had hardware tokens issued through PayPal. eBay continues to work on advancing multi-factor authentication options for our users, with the end goal of making every solution more secure and more convenient. We look forward to sharing more as additional solutions are ready to launch.
The token in question is made by Verisign, according to Krebs, and was first offered in early-2006 by PayPal to users wanting to add an extra layer of security to their accounts. It generates a security code, which is displayed on a small screen, that changes every 30 seconds. (It is not clear if eBay wants to phase-out token support, but the email, that you can see below, suggests that the company is at least considering this option.)
Krebs paints this as a "downgrade" in security, and I am not going to argue otherwise. However, I am not entirely convinced that it is such a bad idea for eBay to offer this advice. Security, if you want to take it up a notch, can be improved in all sorts of ways, but for the average user the convenience has to be there. They might have put up with tokens years ago, but nowadays they feel like a major hassle when there are more convenient options around.
It would, perhaps, make more sense for eBay to push app-based two-factor authentication instead, but nothing really beats the convenience of SMS. And, let's face it, someone would have to go to great lengths to intercept cellular traffic to read an SMS. From my point of view, it would be easier to just steal the token.
So, which one should you go with? Should you stick with the token or switch to SMS? Well, as you can see, there are pros and cons to each option. But it all boils down to this. If you have trouble dealing with the token, it would make sense to embrace the SMS option. If, on the other hand, the token method works for you, stick with it because it's more secure. It's as simple as that.