Using the PayPal/Verisign Security Key with OpenID for Two-Factor Authentication



As soon as I heard PayPal would be offering a $5 Security Key for additional security while logging in, I jumped on it. A few days later, it arrived in the mail. It’s a great idea, but I decided that carrying a little secure key that generates special numbers for the 3 times a month I login to PayPal just wasn’t worth it.

For the uninitiated, two-factor authentication is when two separate methods are used to verify an identity. For example, a thumbprint and a codeword, or a eye scan and a smart card. The most useful in my and many other’s opinion is a One Time password token, like the Paypal/Verisign security key. This device, which is meant to be carried with you at all times (think, belongs on your keychain, and you keep it in your pocket like a key) generates a series of numbers which depend on what time it is. This number, when combined with your password, provides a much more secure way of authenticating that it is really you who is logging into PayPal, and not just some guy from across the world who happens to have guessed, or phished your password.

OpenID is a relatively new technology where you store your personal information at a site called an OpenID Provider, and then other sites authenticate to that site. You then tell the OpenID provider that it is ok to let your target website use your information and itself to authenticate you. After that, when you want to login to this target site, you just need to be logged into your OpenID provider. Maybe this video will clear things up for you.

Some popular OpenID Providers are: MyOpenID, Verisign Labs PIP, and many, many more. I personally use Verisign Labs PIP, simply because I trust Verisign, and established security company, more than many of the other ‘mom and pop’ websites who now all of a sudden are OpenID providers. Call me elitist if you want but that is just how I feel.

So, good idea in theory, but I had a pretty big reservation about it. What if someone was able to get your OpenID username and password? All of a sudden, they have access to ALL of your websites that you use OpenID with, and you are worse off than if you just used seperate usernames and passwords for each one. You do use different passwords for your website logins, right?

So, just today, I thought to myself: wouldn’t it be great to be able to use that Verisign Branded PayPal Security Key with my Verisign Labs PIP account? Lo and behold, a google query later, and I find out that they are one of the only OpenID providers to provide two factor authentication, and that my old PayPal Security key works with it! Bingo!

I didn’t really find too much information online about how to hook the two up, so I thought I would put up an explanation to help others realize the security that this provides them.

1. Get a PayPal Security Key

All you need to do is go to the PayPal Security Key Website, sign in, and place an order for it. A few days later you get a little package with your key, and then you can feel special too.

2. Login or Create an Account at Verisign PIP

The Verisign Labs PIP website has all of the information you need for signing up. Go through all of the steps needed to activate your account before proceeding to the next step.

3. Add your Security Key Credentials to your account.

Go to the “My Account” page, and at the bottom there is a section that says “VIP Credential”.

You will then be asked to enter the credential ID (which are the letters/numbers on the back of your key) and also to push the button to generate a one-time key.

Click add, and you are done!

Next time you log into your OpenID at PIP, you will see the following challenge after you enter your username and password:

At this point, you might be asking what happens if you don’t have your Security Key with you? Well, there is an alternative. They will send you a one-time pin either to your cell phone via text, or to the e-mail account that you have on file with them.

This ensures that even if you don’t have your key with you, access to your websites can still be had. Just make sure your e-mail password is different than your OpenID password!

As an added bonus, they offer a firefox plugin called “Seatbelt” that automatically fills in your OpenID location for you on sites that support OpenID. It’s nice to not have to remember your OpenID URL, which is username.pip.verisignlabs.com. It’s not overly difficult to remember but they definately could use a more catchy URL.

So that is about it – with these two things, you should be sailing along with OpenID using two-factor authentication and minimal effort and money spent!

  • Glad to hear you found the PIP/VIP integration useful, David! As you discovered, the PayPal Security Key is part of VeriSign’s VIP Network, which means it can be used at other sites beyond PayPal, like the VeriSign Labs PIP. We’re adding new sites to the network all the time, which you can track at https://idprotect.verisign.com/wheretouse.v.

    Something else you may find interesting is that we’ve recently made the SOAP API that powers the VIP Network available to anyone to use for a trial basis (using a sandbox environment). More details are available here: http://blogs.verisign.com/identity/2008/04/calling_all_developers.php

  • Glad to hear you found the PIP/VIP integration useful, David! As you discovered, the PayPal Security Key is part of VeriSign’s VIP Network, which means it can be used at other sites beyond PayPal, like the VeriSign Labs PIP. We’re adding new sites to the network all the time, which you can track at https://idprotect.verisign.com/wheretouse.v.

    Something else you may find interesting is that we’ve recently made the SOAP API that powers the VIP Network available to anyone to use for a trial basis (using a sandbox environment). More details are available here: http://blogs.verisign.com/identity/2008/04/calling_all_developers.php

  • @Jeff Burstein (VeriSign): Thanks for reading this post. I’m glad to see that VeriSign is marking their VIP security options more aggressively now.

    With the proliferation in fraud on a global scale, these solutions are going to be more and more in demand. VeriSign is the only provider that I know of that provides devices like these directly to consumers at a reasonable price. Keep up the good work!

  • @Jeff Burstein (VeriSign): Thanks for reading this post. I’m glad to see that VeriSign is marking their VIP security options more aggressively now.

    With the proliferation in fraud on a global scale, these solutions are going to be more and more in demand. VeriSign is the only provider that I know of that provides devices like these directly to consumers at a reasonable price. Keep up the good work!

  • Pingback: OpenID Overview and Four Awesome Providers | MakeUseOf.com()

  • Pingback: Skribit Blog » Blog Archive » New: OpenID Support()

  • Pingback: excentral » Openid two-factor authentication()

  • Pingback: selenakyle ()

  • Pingback: djinoz()

  • Dan

    I discovered the same thing about VeriSign PIP and PayPal, and just received my $5 security card from PayPal that they sell on VeriSign’s site for $48.

    If you want to save $5 and have a smartphone, try downloading VeriSign’s VIP Access for Mobile software from their web site for free. It works on PayPal the same way and you don’t have to wait for the key in the mail.

    Dan

  • Dan

    I discovered the same thing about VeriSign PIP and PayPal, and just received my $5 security card from PayPal that they sell on VeriSign’s site for $48.

    If you want to save $5 and have a smartphone, try downloading VeriSign’s VIP Access for Mobile software from their web site for free. It works on PayPal the same way and you don’t have to wait for the key in the mail.

    Dan

  • Pingback: Charnita Fance()

  • Pingback: Martin Thurmann()

  • Pingback: Martin Thurmann()