Recently, PayPal began offering account holders the ability to use a Security Key as an additional means of protection. The Security Key is a small piece of hardware that connects to the computer’s USB port and displays a sequence of numbers that change every 30 seconds. Once the key is activated, users must supply these numbers in addition to their typical PayPal username and password in order to be granted access. No accessible version of the PayPal Security Key is offered at this time. Though the Security Key is not required, there are a couple of significant concerns.
At this time, use of the Security Key is not required in order to continue using PayPal. One may decide to avoid purchasing and activating the Security Key, while still retaining access to their account. This may seem to represent a mitigating factor, except for one dirty little truth. The availability of the Security Key to only sighted PayPal customers automatically means that blind and visually impaired customers are not afforded the same degree of security! That’s right. While the sighted may now enjoy two-factor, virtually unbreakable authentication, we blind folks are stuck with the traditional username and password approach. This inherently makes the blind more vulnerable to fraud, identity theft, loss of PayPal funds and all manner of other imaginable nastiness. Alas, that’s not all!
While the Security Key is currently an optional enhancement, we can see the day in the near future when PayPal will begin requiring use of this authentication method for all account holders. At that time, blind and visually impaired people will be completely locked out of their PayPal accounts, unless an accessible version of the Security Key is made available. When that happens, PayPal will be giving its blind customers the boot, showing them the tightly barred and locked door featuring the infamous “No Blind People Allowed” sign.
Multifactor authentication is not new to PayPal. It is rapidly extending to the web sites of many banks and other financial institutions. It is absolutely critical that we, as a blind community, begin to effectively address issues of visual CAPTCHA and multifactor authentication before we find ourselves locked out of online participation and even separated from our money! Let’s act now with respect to PayPal! We urge all of you to ask PayPal for information about their intentions toward blind and visually impaired customers with respect to the Security Key. Please post any responses from PayPal as comments to this article.
Thank you for contacting PayPal.
Hello my name is Mindy. I would like to thank you for your email, I have forwarded your ideas to the appropriate party. It is a great idea!
Thank you for the email and you are welcome! We are pleased to have you as a member of the PayPal community. If you need assistance in the future, you can contact customer service by email at
Thank you for using PayPal!
If you have any further questions, please feel free to contact us again.
PayPal Community Support
PayPal, an eBay Company
We (Positive Networks) just released a product called PhoneFactor that makes phone calls as the second authentication factor. The user enters an optional PIN and presses # to confirm the login. Do you think this would offer improved accessibility for blind and visually impaired people?
More info: http://blog.phonefactor.net
Chief Technology Officer
I can’t help you with your Paypal problem, the one-time password (OTP) tokens used in the Paypal application are from VeriSign. The solution of this problem is not, however, rocket science, and I presume that VeriSign and the other OTP token vendors will quickly step up to the plate, if they have not done so already.
The best known OTP token is doubtless the RSA SecurID, from RSA Security, now the security division of EMC. The RSA SecurID provides high-assurance two-factor authentication (2FA) for millions of users, sighted and blind, at some 30,000 enterprises, financial institutions, and government agencies, world-wide.
I’ve been a consultant to RSA for many years. I even recall RSA (then Security Dynamics) shipping their first “Audible SecurIDs” in the late 1980s. The earliest ones were pretty klunky, shaped like a medium-sized cigar box — but I’ve heard of some of those in use for decades: repeatedly cleaned, refurbished, and even reloaded (by RSA) with the SecurID application, when necessary. (Some of your readers may recall those monsters, and where and how they were used. I’d love to hear some war stories, if anyone is up for sharing.)
The SecurID, as you doubtless know, is an OTP token which continuously generates and displays a 6-8 digit (or alphanumeric) “token code” every 60 seconds. It is used only within the context of two-factor authentication, which means that a user will have to provide both a memorized password or PIN, as well as the token’s one-time password, to gain access to protected resources. While still mostly used in enterprise environments, OTP tokens like the SecurID are also, as you noted, increasingly used in consumer environments like AOL, and by financial services institutions like eTrade — often offered as an optional security enhancement.
RSA no longer makes or sells those special-purpose “Audible SecurIDs;” the product has evolved beyond that. Today, most institutions find it cheaper and more convenient provide their blind or sight-impaired employees, contractors, partners, or customers with one of the several RSA Software Tokens: token-emulation applications available for Palm and Windows PDAs, beepers, mobile phones, and Windows XP Desktops.
With a simple text-to-audio utility, many of these devices quickly and easily become the 21st Century’s “Audible SecurIDs” — still providing two-factor authentication (2FA) to the sight-impaired, but now readily- available devices with a long and proud heritage.
RSA makes these token-emulation applications available for free download from it’s website at: http://www.rsa.com/node.aspx?id=1313.
The RSA SecurID Toolbar Token for Windows desktops is also reportedly quite popular among blind users and their employers. Check out:
As you are probably aware, the SecurID software-token option is something that your local IT administration would have to authorize and implement, since it requires the site to separately purchase, from RSA, the SecurID “seeds” needed to initialize these “soft tokens.”
Like any wholly software-based security device, of course, the use of these “soft tokens” will also place an additional responsibility on the token’s user and the local security administrator. The integrity of the OTP generator — indeed, the trustworthiness of your access control system — will depend upon the user (of a PDA, for example) and his employer (for, say, desktop PCs) being cautious and faithful in providing effective physical and virtual security for the devices which hold the SecurID “soft token” app.
(Despite a variety of defenses built into the RSA code, the secrets of any software application are ultimately accessible to a sophisticated attacker who has unrestricted physical or virtual access to the platform that executes the SecurID application code. Some high-security settings may, by policy, require the use of the sealed [and tamper-resistant, DPA resistant] SecurID hardware token, unless and until exceptions to that policy are defined and negotiated. That, however, is a manageable issue for most SecurID installations.)
One caution: I’ve been an advocate and evangelist for OTP tokens since before any of these devices first came on the market, so I appreciate your enthusiasm for OTP tokens. As I suggested above, when talking about RSA Software Tokens, however, these devices are not the proverbial “silver bullet” for online or IT security. Nothing is.
OTP tokens like the SecurID can substantially raise the barrier against illicit access to protected network accounts and resources, but they are best implemented in a matrix of multiple security layers, with active oversight, cautious best-practice protocols, and self-consciously aware users. Any attack — say a targeted trojan — that manages to corrupt the platform that is executing OTP code can “own” the whole system, and it can then display only what it wants to display, and do whatever it wants to do, with covert access to any shared secrets intended to safeguard the authentication, authorization, and audit functions of your system or network.
Security is a process; a culture of caution; not a simple device; not a technology — which is why it is so hard to project it effectively into the mass consumer market. Security layers must evolve to overlap in different ways, presenting an active, mobile, responsive target for interlopers and criminals. 2FA and one-time password tokens make a substantial contribution to an institution’s defensive barriers, don’t doubt it — but we do a disservice to your readers if we do not place OTP tokens, what many call “strong authentication,” in a realistic context.
“Perfect security” is unattainable — and, in any case, it would cost too damn much. Effective security, by contrast, is a culture — and, like any culture, it necessarily relies upon aware people, not just technology, to give it strength and resilience.
I hope this is helpful.
I just want to point out that there are authentication vendors, like Vasco Data Security, that provide “talking” security keys, called Digipass Comfort Voice (they have card readers too). In stead of just diplaying a one time password or a dynamic password, the device puts the password in audio and you can hear it through the build-in speaker or headphones.
So there are solutions, you just have to find them and companies like PayPal have to be willing to use them and to provide them for their blind clients and employees.