If you bank or shop online or otherwise use the Web to move money around, you need more protection for your accounts than just a simple username and password. Many of us reuse passwords on multiple accounts, and if a hacker or a malicious piece of software can obtain this information, you can suffer the consequences and be out a lot of dough in the process.
Of course, the quickest fix is to not reuse passwords across multiple accounts, but that isn’t likely to be implemented by many of us. A more secure and dependable solution is to make use of two-factor authentication. This is a fancy way to talk about a device that you keep on your person that only you have access to. If you work for a financial institution, or another paranoid employer, you probably already have something that looks like a credit card or a key fob with a small LCD display. This is the second factor (the first is your login name), and unlike your login only you have possession of this device. To make it work, you enter a series of numbers on its face after you enter your login ID. These are timed precisely to an authentication server. If you don’t enter the right sequence of digits, you can’t login to your account.
These fobs or security keys have been available for the general public for a few different Web sites. Paypal, for example, sells them for $5. Getting setup takes just a few moments, and requires an extra step when you login to your account.
But the fob can be lost, or you might not remember to carry it with you when you are shopping online. A better solution is to use a virtual key, one that runs on your smartphone for example, or makes use of a series of text messages if you just have that service. You don’t need to remember to bring anything with you, and these virtual keys are also free of charge.
VeriSign/Symantec calls its service VIP, for VeriSign Identity Protection. It is available in software for a wide variety of phones, including iPhones, Androids, Blackberries, and others. You download the software (via iTunes for the iPhone, and similar Web app stores for the others) to your phone, walk through the setup process, and register the software key with Paypal or other sites that you are interested in protecting. Here is one credit union in Palo Alto that makes use of the service where you can get an idea of the VIP process in more detail.
VIP can be used for other purposes than your online banking: they can protect VPN access to your corporate network, and other intranet kinds of applications. They are easy to manage, once you tie in the key servers to your corporate identity servers. And they remove the headache of managing the actual hardware security keys from the whole process, which is another plus.
VIP isn’t the only game in town. A startup called Enole.net is working on something similar that can turn your cellphone into a universal ID for all sorts of purposes, such as your car, your house key, and so forth. I haven’t gotten any specifics but the information on their Web site sounds intriguing.
It is time we started using better authentication methods for more of our online logins. And VIP is one very painless way to do so.