I received my Paypal Security Key in the mail today. I jumped at the chance to order one after I happen to read about its release on codinghorror.com. The key fob, which uses the same technology as SecureID's, works by generating a new 6 digit number every 30 or 60 seconds. When you login to the website using your username and password+passcode, the server computes what 6 digit passcode should currently be displayed on your key fob and, if it matches what you entered, allows you access. Since the passcode constantly changes, even someone who has your username and password would not be able to login without also physically holding your key fob. This is known as two-factor authentication; something you know (username & password) and something you have (key fob).
I have been a fan of the SecureID ever since I worked with them at Getronics, where I supported an international base of banking employees who used a SecureID to login to Deutsche Bank's internal network. I was responsible for not only educating users on how to use their SecureID, but also for re-syncing the ACE Server (which is used to manage all SecureID's), generating temporary passcodes for users who had misplaced their SecureID, monitoring the ACE log monitor to help diagnose authentication issues, and adding/removing SecureID's from the ACE server. It was probably the most fun I had working at Getronics -- and because I enjoyed it, diagnosing SecureID issues, and understanding how they work, became second nature to me.
When E*TRADE started providing SecureID's, they initially gave them out for free to those who were the first to order them. Of course I jumped on the opportunity and within a few weeks I was logging into my E*TRADE account with my Username and Password + SecureID Passcode. In addition to my brokerage account, I opened an E*TRADE checking account, simply because I loved being able to feel secure about logging into my checking account. However, since there are no E*TRADE branches around here where I can make physical deposits, I still need a local bank account. For that I use TDBanknorth. It would be awesome if TDBanknorth provided a SecureID for online access. Now that E*TRADE is offering a savings account, with no minimums, no fees, and a 5.05% savings interest rate (!), I'm going to close my INGDirect savings account (4.50%) and switch to using E*TRADE exclusively. I will now have a checking, savings, and brokerage account with E*TRADE, all which I can securely access from a single site using the SecureID.
Even though Paypal's Security Key is not an official SecureID, it uses the same technology. SecureID is made and produced by RSA Security. Paypal has created their own version of the SecureID with a 6 digit code that changes every 30 seconds. The Paypal Security Key differs from the SecureID in that instead of always displaying the passcode, the display simply turns off after 30 seconds. You need to press a button on the key fob to turn on the display and show a new passcode. In addition, the Paypal key fob is slightly larger, has an oval shape, feels less durable, and has an annoying string with a metal ring on the end to attach to your key chain. I discarded the string and replaced it with a bigger, more durable keyring. The SecureID is definitely designed better, and the only reason I can think of that the Paypal key uses a button to turn on the display, is to save battery life.
Since Paypal is owned by eBay, you can also activate the Security Key for your eBay account, allowing you to secure both your Paypal account and your eBay account with the same Security Key! I completed the activation process for both accounts, and it was very easy. I simply logged into my account, filled out three boxes (serial number from the back of the Security Key, and two passcodes from the key), clicked submit, and the process was done.
Carrying around two key fobs on my key chain isn't fun, but if it means I can feel a lot more safe about the security of five of my online accounts (brokerage, checking, savings, Paypal, and eBay), then I'm all for it! In fact, besides my TDBanknorth account, I can't think of any other accounts that I really wish I could feel safer about accessing online. Of course, even two-factor authentication is vulnerable to man-in-the-middle and other attacks. If the attacker obtains a current passcode, he has a whole 30 (or 60) seconds to reuse that code. So if you combine a hidden screen-capture or key-logger application with the speed of the Internet, you can have an attacker who monitors your computer activity in real-time and logs into your account only a few seconds after you do. The bottom line: don't allow your computer to be compromised in the first place.
There is no security against human stupidity.