Paypal Security Token

I just got a PayPal Security Key and I’ve been playing with it the past few days. I have never had the privilege (or burden) of carrying a hardware token before, but I was more than willing to pay $5.00 for a new gadget that just happens to make my PayPal account more secure.

It works by generating a one-time use password that’s 6 digits long and changes every 30 seconds. This make makes your login more secure than most weak passwords, but if you use a strong random UNIQUE pass-phrase for PayPal and don’t write it on a sticky note, your probably not gaining much security. Of course this would require you to remember said pass-phrase, but you may find doing so less burdensome than keeping up with a token.

One thing that’s neat about the token is that it works for both PayPal and eBay. Unfortunately the user experience on each site varies quite a bit. On eBay you are prompted for typical username and password followed by your six-digit security key that your token spits out. On PayPal however, you append the security key to your current password.

Tokens are cool geek gadgets, but honestly they can be a real pain in the ass. My wife and I both use PayPal/Ebay frequently and currently if she want’s to login, she has to wait for me to get home or call me and ask me for a key.

I’m happy that PayPal is taking steps to secure my account, but overall I was a bit disappointed in the whole process. I’m not really sure why they decided to implement the process differently on eBay, but they should consider providing a more consistent user experience. My hunch is that for the average Joe who doesn’t understand security, this token is probably going to seem like overkill and burdensome. I’m not sure but I get the feeling that PayPal knows this and their just covering their using it to appease more technical users.

Disclaimer: I work for a authentication security company