So I spent $5 on what is one of the most secure ways to do any online logins, in this case my PayPal account. PayPal now offers a one time password token (OTP) to give its users a more secure login methodology. Now instead of a username and password you must also provide the current passcode displayed on the token they provide.
The passcode is valid for 30 seconds upon which time a new passcode is provided and that passcode can only be used once. I am sure you are all familiar with RSA SecureID or one of Canada’s own AuthAnvil (run by Canadian MVP Dana Epp) and this is really not very different. The device has a serial number and once it is synchronized with the authentication server you are ready to go. Now you have something you know (your username/password) and something you have (the passcode on the token) for a nice secure two factor authentication scheme. This got me thinking, why isn’t this standard from all financial institutions? I asked around with some people I know and there is no reason why it isn’t feasible. The banks could do, like they do for credit/debit cards, centralize the authentication/token sync so that you could use one token for your different banks and accounts.
When compared to the smartcard technology they are just starting to implement on credit cards in Canada, which is pretty lame since they all still have magnetic stripes on the back with the data and they use the same PIN as your debit card, isn’t this a better route? I was more than willing to pay the $5 to cover the costs which included shipping for the added protection and I’d even go as far as paying an additional fee every month with my bank to provide me a real level of security. The token is small enough to stick on your keychain and as a backup you can authorize a mobile phone and get a OTP sent to your phone via SMS for emergencies.
Doesn’t this make more sense than adding a smart chip but leaving the “dumb” mag stripe on the back?