When thinking about replacing or strengthening traditional passwords, one alternative is to add a hardware device that proves the users are in possession of a token. RSA has done this for years with their SecurID product, but people with multiple accounts have to carry multiple SecurID tokens. Now VeriSign has come out with an iPhone application that does the same thing, and already supports three different account types. Is this the solution to adding “something you have” to the authentication process, without requiring that people “have” too many things? Will the application be secure, or just another attack vector for the bad guys?
What’s the Password? Only Your iPhone Knows
As of Tuesday, you can now download an iPhone application that will generate a password for your AOL, eBay and PayPal accounts. It’s optional and free to consumers, but if you sign up, no one can get in your account without your user ID, your password and the six-digit number generated by your phone.
So if I loose my phone I loose all passwords?