Chicago (IL) – VeriSign has teamed up with Apple to provide a second-factor authentication (2FA) token generator application for the iPhone. For those interested in maximizing their online security against fraud and theft, using a second-factor code, one which changes every 30 seconds, could be the best way to go. And now with VeriSign’s iPhone app, you won’t need to carry around a separate token or card. The iPhone becomes a one-stop shop for online 2FA security. In this article we explain the technology, and show you how to use it.
when armed with extended validation certificates, patched browsers and a deep
knowledge of online security, many users still feel uneasy when logging into
their PayPal or eBay account. And who could blame them? Sites
like these hold very sensitive financial information, a target fraudsters
could use to empty out bank accounts. The best thing you can do in order to
better protect yourself online is to opt-in for the so-called
second-factor authentication on sites which support the technology.
This requires you to order security tokens or a card from
one of the trusted security providers, and then have it with you pretty much all of your online time — what an annoyance. What if you could use your iPhone, something that’s always
there in your pocket, into a token?
Online security is
like safer sex: While aware of the risks, you can never be safe enough. And even if you “forget” your protection one time, that could be all it takes to become compromised. When it comes to your
online and Internet life, a simple name and password in most cases is your only
defense against fraudsters — and an extremely weak one at that, might I add. Just ask Governor Sarah Palin
or France’s president Nicolas Sarkozy whose email account hacks have been front page news. But you don’t hear very often of fraudsters
getting the details to one’s bank account, not thanks to the
so-called two-factor authentication (2FA).
What is 2FA?
authentication adds a new, much stronger security layer by combining
something you know (login username and password) with something you
physically have — a token. A token is basically an electronic device that looks like a calculator. It uses a complex mathematical algorithm to constantly supply a 6-digit code that is unique to only your token, and changes every 30 seconds for security reasons. Tokens also have a unique identification number (usually printed on the back), which is used for authorizing the device on supported sites, like online banking.
Your security provider may issue you a security card instead of a token. When connected to a computer via an accompanying reader and paired with a digital security certificate, it enables easier authentication by the simple means of inserting your card into the reader — rather than generating codes via token and entering them manually.
For years, 2FA has proved
its effectiveness across the financial industries, and it’s no
wonder this technology has now arrived on many of the sites we commonly use — like eBay,
YOUR CREDENTIALSA token (above) and a security card with an accompanying reader (bellow) both serve as the second-factor authentication credentials on supported sites. Financial insitutions and banks have been issuing tokens and securiy cards to clients for years, mainly for online banking, but you can use them on online shoping malls as well.
Who needs a token, anyway?
In order to enjoy stronger security on 2FA-enabled sites,
you first need to get yourself a 2FA credential that is a token or a security card from a trusted provider like VeriSign. But that’s so last century. Security cards work only with a reader connected to your
computer. On the other hand, tokens are small enough to fit in your pocket but it’s still another piece of
hardware to carry around. Enter VIP Access, VeriSign’s
free iPhone app that turns your phone into a 2FA credential. What’s best, you can use it on many popular sites. Banks, online merchant and over 40 well-known sites are part of the company’s VIP Network,
including eBay, PayPal and AOL (member sites display the VeriSign Identity Protection logo). With that in mind, you can enjoy
stronger security on any of member sites within minutes. Let me show
YOUR IPHONE IS A TOKEN
Remember, tokens issued by your bank that you use to generate security codes for logins to your online personal banking (left)? You can use the same technology to better protect yourself on sites that hold your sensitive financial data, like eBay or PayPal. And, thanks to VeriSign’s iPhone app, there is no need to carry around a separate token or card — your iPhone becomes a trusted token (right).
Setting up: Activating your credential
First, download the free VIP Access program from the App Store (iTunes link).
Next, when you first run the app you’ll be asked for your phone number.
VeriSign will anonymously use it to text you activation instructions.
Once you complete the activation process, your iPhone becomes an
authorized credential provider that can be used on partner sites. The second
phase is activating your credential (the iPhone) for use on, say, your
In order to do this, you simply log
into your account on a VeriSign-approved partner site and indicate that
you want to activate a credential. The site will prompt you to input
the serial number of your credential (shown when you run the app), thus
tying your token (iPhone) to your PayPal account. No need to worry —
the serial number created by the app is an anonymous identifier and
VeriSign uses it only to verify that this token and all variations of
its one-time-passwords belong to you.
ACTIVATE YOUR CREDENTIAL
When you first run VeriSign’s free VIP Access for iPhone, you will be asked for your phone number. VeriSign anonymously uses this information to provide you with the activation instructions in a text message. Once finished, your iPhone becomes an authorized token that you can use to generate one-time six-digit codes on sites that provide two-factor authentication, sites such as eBay, PayPal, AOL and 40 other sites.
[Click for slideshow]
Read on the next page: Logging in, Conclusion… EXTRA: VIDEO
Logging in is a breeze
The next time you login to your 2FA-activated account, the site prompts you for
a username and password like normal. However, an additional entry field
appears where you must enter the six digit code provided by the
iPhone app, a code which changes every 30 seconds. The codes generated by the app are unique to only your iPhone
and, by changing every 30 seconds, serve as one-time codes.
What happens next is pretty
straightforward: VeriSign checks the code you entered on a
participating site against your token’s serial number to verify that it
matches the token you used to activate your account on a site. If your
iPhone gets lost, stolen or you simply don’t have it with you, a link is provided on the site to answer the set of challenge
questions you originally established when you first authorized your
site’s account for use with 2FA.
TWO-FACTOR AUTHENTICATION: PAYPAL
When you enter your regular username and password on a 2FA-enabled site, you will be prompted to enter an additional six-digit code provided by the VIP Access iPhone app. The code changes every 30-seconds, and can only used once. Pictured above: 2FA authentication on PayPal.
[Click for slideshow]
Conclusion: Near-perfect protection
course, the technology used here isn’t unbreakable. Nevertheless, it’s
near-perfect. Let’s consider the worst-case scenario. If a fraudsters
grabs your PayPal username and password, they will not be able to login
because they will not physically have your second factor credential
that is your iPhone. Theoretically speaking, fraudsters may only break
into your 2FA-protected account if they obtain both your login
details and physically steal your iPhone. As you can imagine, the
probability of this happening anonymously is very small.
If online security is paramount to you (as it should be), and you own an iPhone, I strongly advise you to give VIP Access
a try. Those with sensitive financial information stored on sites like
PayPal and eBay shouldn’t really second-guess the viability of this
solution. It’s based on the nearly unbreakable idea of token and second-factor
authentication. If it was good enough for
financial institutions like banks (and even the United States Treasury) who have been issuing tokens to their
clients or online users for years, it should be good enough to protect your PayPal
and eBay accounts as well.
Last, but not the
least, the technology comes with VeriSign’s seal of approval, a company that’s proven to be a name you can trust. Provided free of charge, it’s a no-brainer if
you ask me. Remember, protecting yourself is always better than dealing
with unpleasant consequences later. In other words, there is really no
reason why safer sex should be more important to you than safer financial
VERISIGN’s VIP ACCESS FOR IPHONE IN ACTION