Thursday, June 21, 2007

PayPal and two factor authentication

Reading the article below really got me to thinking this morning. It sparked enough motivation for a blog post at least.

http://www.securityfocus.com/brief/528

I've always been an advocate for multi factor authentication. One of the main issues that I have with it is proper implementation. When I used to work for a major telecommunications carrier many of the staff in the IT department were issued credit card sized RSA devices to be used as secondary authentication when accessing the network via VPN. There were stringent rules as to where you could store it, that you couldn't loan it out or leave it lying about in plain view, etc.

On the other hand my girlfriend works for a local university in an accounting department. All of the employees in her department have RSA key fobs for usage as second factor authentication when logging in to the network. Well...while picking her up from work one evening I noticed that after she logged off she placed the key fob next to her keyboard. Being security conscious (picture that!) I asked “Aren't you going to lock that in your drawer or take it with you?”. She looked at me, smiled as if I were an idiot and matter of factly replied “Why would I do that? Everyone here leaves theirs on the desk when they leave.” Flabbergasted I walked to each workstation and checked, lo and behold at every workstation neatly placed to the left of the keyboard was an RSA key fob!

What does this story have to do with PayPal and the extra security measures they are attempting to employ? Everything. Two factor authentication doesn't do you much good if you don't take measures to ensure that the security it can provide you is not easily circumvented by poor security practices. When not in use do not leave it on your desk while you go to the restroom or leave for the day.

The following post below also shows that two factor authentication is not fool proof nor a panacea. You still need strong IT controls and policy in place.

http://neural-cybernetix.blogspot.com/2006/07/phishers-defeat-2-factor.html

On a side note I actually participated in the beta program and actually have one of the PayPal authentication devices. It was inexpensive, very painless to setup and works well. I keep it with me most of the time and when I don't I make certain that it is stored securely.

No comments: