An easier identity solution

PayPal announced last week that it will soon support a key fob to provide its customers with two-factor authentication.

Costing $5 for personal accounts--and free for business accounts--people can get a One-Time Password (OTP) device that displays a new six-digit code every 30 seconds. The intent is to provide customers with another line of defense against identity theft and the continuous onslaught of PayPal-based phishing attacks.

On the plus side, it's nice to see PayPal being aggressive with security. If people feel they can't trust PayPal, the financing company suffers. A big PayPal breach could also be the only thing that has the potential to crash the eBay party. If PayPal can't be trusted, the natural question consumers will ask is: What about eBay? A security breach at a brick-and-mortar business is bad. A security breach at an e-business can be lethal.

Now kudos to PayPal aside, I see a potential problem in the not-too-distant future. Pretty soon, we consumers will be required to have multiple security tokens, smart cards and passwords to do anything online. Imagine a string of security fobs you carry around next to the keys to your minivan and SUV. This could get out of hand rather quickly.

I believe that e-businesses and the security industry have this whole thing backward. Instead of putting the onus of strong authentication on the vendors, it ought to reside on the consumer. I should be able to go into my local Radio Shack and buy a security token of my choice. Once I own this, I ought to be able to register it with my bank, credit card company, and any other online service provider of my choice. This would create a one-to-many solution rather than today's many-to-one mess.

This idea would take some work and cooperation, but it is certainly possible. Back-end vendors would have to agree on a set of authentication standards they would support. There are several efforts already in place, including VeriSign's Open Authentication standard (OATH), RSA's OTP standard and various others being driven by the Liberty Alliance, the IEEE and the federal government.

Global two-factor authentication would also require services specialists to act as middlemen and handle technology, legal and support tasks. But I'm sure that VeriSign, Ping Identity, RSA and loads of others would be willing to fill this void. Finally, what happens if you lose your token? We need some seamless way to anticipate this with rock-solid processes for protecting consumers, reissuing tokens, and taking care of back-end updates. The identity service providers could certainly fill this void.

We need to figure this out soon, lest we end up a string of security tokens--or with online services that have gone away. Starting next year, for example, consumers will have to go to the Registry of Motor Vehicles in person for many transactions we now do over the Web. Why? To enforce the federal Real ID Act starting in 2008.

Wouldn't it be easier if I had a single security token that let Uncle Sam and everyone else know that it is really me?