VeriSign has released an iPhone app that lets you supplement a user name and password login at several Web sites with a well-regarded and cryptographically robust method of confirming your identity. AOL, eBay, and PayPal are notable among current sites supporting the system.
The free VIP Access for Mobile application relies on a unique credential created for your iPhone based on its phone number, and confirmed with an SMS message sent to that number. Once the credential is confirmed with this looped-back process, the program generates a unique 6-digit token every 30 seconds using an algorithm that’s uniquely derived from the credential. (VIP stands for VeriSign Identity Protection.)
iPod touch devices can’t use VIP Access because of the lack of an out-of-band method of confirming a unique identity, at least in the current system design. VeriSign has released this application previously only for mobile phones, including the BlackBerry and other platforms.
When using this system you’re much less likely to experience account theft, even if there’s a breach of login data at a Web site or if you’re scammed out of your login credentials. Because VeriSign separately controls and authenticates its own tokens, a cracker can’t get in, even if he has your user name and password. A site would have to suffer an internal security flaw that allowed token entry to be disabled or bypassed. (Passwords are always encrypted and protected at any well-designed site, but a data breach could allow crackers to pair account information with commonly guessed passwords or passwords assembled from other sources that are then matched up by email or other data.)
At sites that support VeriSign’s system, you log in the first time with your current user name and password, and then enter the credential from VIP Access to activate two-factor authentication (one factor is your regular login; the other, the token). From then on, you must have the phone and the current token to supplement your regular login to use that site.
The convenience of having this second factor on your phone can’t be overstated: we iPhone users generally have our phones with us most of the time, and when we’re using a computer, it’s likely on our person or nearby. And it’s a single device that many Web sites can support. I currently have key fobs from eBay/PayPal and Etrade. I use those sites regularly but not frequently, and I’m always rooting around to find the key fob.
The security of a second factor is that a thief needs two parts to abuse your information, and it’s hard to obtain both parts at once. If someone obtains your credential number, the current token can’t be reverse engineered from it. If someone glances at your current token or obtains it in some other fashion, it’s no good after less than 30 seconds. Note that I include a token in the screen capture above from my iPhone, which was good for only 30 seconds from when I took it.
Even if a thief steals your phone, as long as you haven’t stored your account names and passwords for sites you’re using with VIP Mobile, having the token generator won’t do the thief any good.
A phishing attack is still possible. Imagine that you are convinced you are visiting a secure site that uses a VIP token, and enter your login name, password, and the current token. If the site is malicious and enters the same credentials at the real site within a few seconds, a phisher could gain access.
This makes it extra important that you note tell-tale signs that the secure site you think you are at is actually the correct site: check the domain name, look for https in the URL (location field), and make sure a lock icon appears in the browser – Safari in the upper right, and Firefox in the lower right.
Participating sites pay what the New York Times reported is $3 to $10 per year per customer to gain this login with extra confirmation of a user’s identity; customers pay nothing.
This is a great deal on both sides. Customers get the assurance that their accounts are safe at the price of a little inconvenience – although most of us are always carrying our phones with us. And site operators get the additional security of not having to deal with the cost and complexity of having accounts hacked.