In association with heise online

How the Security Keys or Tokens work

The VeriSign Security Key or Token used by PayPal uses the OATH (Open Authentication) algorithm to generate a six digit, one-time numeric 'password'. Although the PayPal keys are 'PayPal' branded they are administered by VeriSign as part of their VIP (VeriSign Identity Protection) authentication service and can be used to authenticate any transactions made with any website that supports VIP authentication. The authentication itself is handled by the VeriSign servers although the PayPal companion mobile phone SMS authentication service is hosted by PayPal and can only be used to verify PayPal transactions.

The key hardware is autonomous, that is - there is no link between the key hardware and the authentication servers, so the system relies on the keys and the servers being synchronised at the point the key is initialised and remaining in step from that point onward.

The keys generate new 'passwords' (ranging from zero to 999,999) essentially using a pseudo-random number generator. Pseudo random number generators generate strings of numbers that in the relatively short term have all the characteristics of truly random processes. However they actually produce repeatable sequences and when started with the same 'seed' number will always produce the same series of numbers. When a PayPal customer initialises a keyed account they are required to enter two successive numbers generated by their key. A seed number is calculated from the two number provided by the customers key and a duplicate random number generator at the authentication server is seeded with this number. Thereafter it generates a new number for each transaction, which matches that generated by the key.

The credit card Security Keys used in America expire each number on a transaction basis, while with the fob key PayPal is initially distributing in the UK, the numbers expire every 30 seconds. This means that if a fob key number remains unused for over 30 seconds, both the fob key and the server generators go on to the next number in the sequence. For security purposes the Security Keys are sealed to make it difficult for hackers to easily access the hardware, so the batteries cannot be replaced. The typical battery life for the fob type keys is from 3 to 5 years, depending on the environment and on how frequently they are used.

See also:

Print Version | Permalink: http://h-online.com/-746227
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit