Within the past week, both Paypal and E*Trade have offered me a new security key. These keys, based on the SecurID by RSA, generate a unique number every 30 seconds or so. To use the key, I will have to enter my username and password as usual, as well as the number that is displayed on the key. Since the number is unique and ever-changing, if someone has obtained my password they still can’t use my account since they don’t have the key.
These keys do offer some level of protection. If your password has been stolen and is being traded around in the Internet underworld, these tokens can help.
There are some problems with these keys. First, they keys do not protect against man-in-the-middle attacks, where bad guys are able to wait for you to login and then hijack your session to conduct fraudulent transactions. These attacks are a big problem because of the huge number of Trojan programs that are circulating on the Internet. If a computer is compromised by a Trojan, then they keys offer no protection. The threats are real.
Second, they keys must be synchronized with the server so that the system can tell if the right numbers are being entered. In my experience using the keys a long time ago, the keys and the servers can get out of sync. When this happened I had to make a call to a call center and get the systems re-synched by telling an operator the current number showing on the key. I hope that they have improved the synchronization.
Third, they keys can be lost, stolen, broken, or simply forgotten at home. Because of this, the systems have to offer an alternative method to access your account. This might involve some other form of authentication that might not be as strong as using the keys. So, the bad guys might have a work-around.
The Paypal key is going to cost me U$5.00. The E*Trade key will be C$30 unless I have C$50K of combined assets. And I am going to need a bigger key ring.