After listening to Security Now! #101, I immediately ordered a PayPal Security Key as I was as intrigued by it as Steve was, when he discovered it. It arrived in my post box last week and I activated it on the same day and been using it ever since. So without further ado, here's my review of the thing.

So here's what it does: You usually log into PayPal & eBay with your username and password, right? — that is what security experts call single factor authentication and it is reasonably secure. That is, secure enough for needs like email or logging into a normal website like this one. Since your PayPal & eBay accounts are directly connected with your bank account and therefore your money though, you'd be much better off with more security here. The Security Key adds another factor to the authentication scheme which makes it two factor authentication now. Basically, the little dongle has a secure chip in it that uses state-of-the-art crypto, a pseudo random number generator and the current time from the built-in clock to generate a completely unique number every time you push the little button. That number is only valid for 30 seconds, after which you would have to generate a new one. So you go to the PayPal site, order this thing for five euros and they ship it to you. Once it arrives, you go to your account page on PayPal and click a link to tell them you wanna start using this thing. You then have to push the button and enter the number that comes up and voilà, from now on you can only log into your PayPal account if you enter your username and the password immediately followed by one of those numbers you get when you push the button. Should you forget to enter the number or the 30 seconds time out, you will be redirected to a page where you can enter a fresh number. You can also activate the same kind of procedure on eBay's site too, using the same dongle.

As you can see on the picture, the thing is pretty small: about 6cm long an maybe 1 cm thick, so you can actually carry it on a keychain. The battery is non-replacable but will last 3-4 years of normal usage, according to PayPal. eBay Inc., who owns PayPal, is actually heading the so-called VeriSign Identity Protection (VIP) initiative, that aims at getting more websites behind using this technology (which is produced by VeriSign). If this iniative is successful, you could use one of these dongles for logging into hundreds of sites, which would be pretty neat. This technology is the most secure yet still convenient authentication system that is commercially available right now and widespread adoption would benefit everyone. You can get the Security Key for five euros by going to http://paypal.com/securitykey and placing an order. Sadly, the system just came out of beta and is currently only available in the US, Australia and Germany. Apparently, more countries will be added to the list in the beginning of next year.

Feeble Rating: FFFF This product is dirt cheap and completely awesome. However, I substract one Feeble Point for only being available in the three mentioned countries right now and the fact that you (at least for the time being) can still log into your account without the key if you answer a few security questions or let PayPal call you (the extend of these measures seems to depend on your internal "trustworthiness level") which subverts some of the security of the system in my eyes. The score was also negatively affected by the fact that the technology involved is of proprietary nature, which also makes it less secure than if it would've been open source.

Further information: If you want to get the in-depth scoop on the PayPal Security Key right from the guy who is responsible for the project at PayPal, listen to Security Now! #103 with Leo Laporte & Steve Gibson.