Paypal , password key fob goes mainstream …

It is official for about a month that Paypal will offer to its users a password key fob , in order to protect them better against identity theft. They will distribute the one time password key fob of Verisign for this.

This will certainly help in protecting Paypal users against identity theft , as this makes password guessing extremely difficult meanwhile the user is offline , however it is not correct to report that this will solve the problem of phishing . A phisher can capture a time synchronous one time password in much the same way he can capture a standard password and reuse it for its own purpose.

One time passwords have been a milk cow for security firms like RSA security and Vasco for years. They provide a strong end user proof of identity , however some innovation is required to make them suitable for being used securely in the context of web applications. The bad idea here is to assume that if used alone passwords can be moved on the network…