billso.com

I briefly used a PayPal security key, but it was a frustrating experience, simply because I kept leaving the key at home. PayPal’s integration with eBay is not good, which is surprising as eBay owns PayPal.

When I decided to stop using the key, I was able to cancel the PayPal key online in a matter of minutes. It took a 15 minute live chat with an eBay rep to remove the PayPal security key from my eBay account. Perhaps that was a security step by eBay. However the frontline system for canceling the key on eBay’s site did not work properly.

The worst part of the PayPal key: I had to pay US$5 to get one in the first place. If PayPal really wanted business users to have multifactor keys, the first key would be free of charge.

Related posts and pages on billso.com

• OpenID
• 11 May 2008: JanRain launches CallVerifID multifactor phone service for OpenID
• 10 May 2008: Why use OpenID?
• 30 April 2008: Updating WP-OpenID to support ID Selector
• 21 March 2007: About ecommerce part 3: The broadband connection
• 15 March 2007: About ecommerce part 1: Maximizing ROI

The mobile phone is an excellent device for two-factor authentication. Most Internet users already have a mobile phone. A user might not notice that they’ve lost a dongle. security token or smartcard. That’s one reason adoption has been difficult for multifactor authentication schemes.

JanRain announced on 9 May 2008 that it is launching a phone-based multifactor authentication service, CallVerifID, that works with its myOpenID service.

The phone verification service lets a user designate a specific phone number that JanRain’s partner, PhoneFactor, will call when their username requires verification. The user can press the pound (#) key on the phone to confirm the login, or use the incoming call to report that their username has been compromised.

Users can designate a mobile or landline number for their verification calls by setting up their myOpenID account preferences with the appropriate number.

The system isn’t perfect. Someone could still learn the users OpenID URL and passphrase, and arrange to intercept the confirmation phone call somehow. This might take a greater level of physical access than stealing a security key or snooping a keyboard. The call verification system could easily be improved by asking the user to enter or speak a second passphrase on the phone.

As Chris Messina pointed out in December 2007, several large Internet content companies have announced that they will support OpenID. Their implementation has been delayed. for several reasons, including branding, although ma.gnolia finally came through in March 2008.

CallVerifID is more evidence that OpenID can become a trusted authentication platform for content and blogging sites, and perhaps for e-commerce sites as well.

See CenterNetworks and Mashable and for more details.

Mobile phone image courtesy of besto-Baker on Flickr, through a Creative Commons license.

Related posts and pages on billso.com

• OpenID
• 10 May 2008: Why use OpenID?
• 30 April 2008: Updating WP-OpenID to support ID Selector