Josh (the blog)

Hey there. I’m Josh, a SydneyCanberra-based maker of Internets. I don’t update this very often.


Cheap secure authentication

Verisign OTP from PayPal

These things can be had from PayPal for about five bucks. Or $7.50 if you’re an Aussie. Verisign will flog them off to you for $30, if you’d like, but basically PayPal rocks for this kinda stuff. It’s a one-time password token that effectively enhances your authentication by a massive degree. It’s cool because it works with PayPal and eBay. It’s cooler (and worthwhile) because you can potentially use it with OpenID.

Essentially, it’s a random number seeded with a unique key that gets appended to your regular password. This defeats keyloggers and pretty much all kinds of phishing currently out there. These kinds of devices have been used in corporate VPN/dial-in scenarios for years now (predominantly, in the situations I’m aware of, with technology by RSA SecureID), but this is the first I’ve seen of it from Verisign.

And, sure, it’s only as secure as physical security or the endpoints themselves are, but it’s a massive step up from “what’s your cat’s name?” two-factor auth (though, unfortunately, I think PayPal/eBay offer that as a backup).

I’ve ordered mine and will probably be having a play with OpenID implementations of it (backed by Verisign’s PIP service, but not overly tied to it because of OpenID’s identity-delegation ability) once it arrives (10 business days).

Can’t help but wonder what Verisign’s rates for these things are in a standalone sense. Normally on 5 year contracts, but in terms of cost-per-token. Seems like a great way to defeat the idiot users who insist on having passwords that are blatantly obvious (argue all you like about strength policies: it’s often not feasible when balanced against support load for resultant forgotten passwords).

Also, to those who argue PayPal = evil, if you’re in Australia then please… don’t. Unlike in the US, here they’ve basically got the same financial reporting obligations as any bank does, and customer service necessarily to match it. All the horror stories from the ‘States (not that I think them universally untrue!) pretty much couldn’t happen here or they’d be chucked out of the country. And, whilst they’re so heavily subsidising (or at least obtaining bulk discounts for) this kinda tech, that’s cool with me.