Verisign Token App
Ceola Roefaro
VIP Access for Mobile works by creating credentials tied to your iPhone. These credentials are based on your phone number and confirmed via SMS messaging. After your number is confirmed, the app generates a unique, six-digit token that changes every 30 seconds based on an algorithm associated with the credentials created. It's extremely difficult for identity thieves to breach this type of two-factor authentication because the token cannot be reverse engineered and changes so quickly. (If you work for a business where IT departments issue devices called "tokens" that act as the second factor for authentication, you're likely already familiar with this type of security.)
Now, your iPhone and the VeriSign function together to work as a security tokens. Your first authentication factor is your regular user ID and password and the second authentication factor is the token generated by VeriSign's app on your iPhone.
There are a couple of drawbacks to the VeriSign app. For one, you will now need your iPhone physically available in order to log in. It's also important to remember that if your iPhone is stolen and contains your log-in and password information, you're in trouble. That's why I recommended an app called Wallet, which securely stores log-in information. I also recommend that you activate the iPhone's Passcode Lock and Auto-Lock features found in the Settings app in the General section.
This type of credential-based security technology is a clear win for both you and the Web sites you visit. It also shows another innovative use for the iPhone and makes me wonder what my iPhone has the potential to replace next. Hopefully it will eventually replace some of the things I'm carrying on my lanyard.
I have the same problem. I have also noticed that I'm sent to that same "Activate your mobile phone" page when I click on the link that is supposed to let me order a PayPal security token. It seems kinda like they used to offer the service that used the tokens, but switched to the SMS system and didn't update all of the pages that mention the old token-based system? I don't know.
On the page where it tries to have you register your mobile phone, simply click on "Cancel" at the bottom of the form and it will take you to a page that will allow you to register your existing physical paypal security key or a Verisign security key.
To clarify, the only way you can use an app for 2FA is to use the Symantec VIP Access app. (I had to get that despite the fact that all of my other authorization codes are generated by Authy.) Then you can register VIP Access using the process for registering a "Verisign security key." When it asks for a serial #, use the credential ID #.
THANK YOU!! That solved the problem. How can we let PayPal know about this? I just spent almost 45 minutes on the phone with a rep who had no idea that you have to press the CANCEL button to get here. Not very intiutive, but it would be great if the PP support folks added it to their script books.
You can't use it any more. They've recently downgraded users to SMS only - which NIST has phased out because it's not secure at all. They consciously, deliberately made us all less safe so they can save money and because they refuse to update their crumbling architecture.
The VeriSign Mobile SDK allows developers to easily embed VIP security into their value added mobile applications. These applications include mobile banking, mobile payments, social networks and media distribution. VIP customers can now utilize the mobile SDK to simplify account access for their users while making the logon experience much safer and easier. For organizations taking advantage of the Mobile SDK, all their users can maintain or shorten the logon process with security provided 'under the hood' between the mobile application and the enterprise -- which means no longer will they be required to go through the three-step process of entering their username, password, and dynamic security code. VeriSign supports the most popular handset platforms including Android, iPhone, Java 2 Micro Edition (J2ME), Windows Mobile and BREW.
The VIP Access for Mobile credentials are utilized with the VeriSign Identity Protection (VIP) Authentication Service. VIP provides an additional layer of protection beyond standard username and password. Strong authentication works by requiring each user to provide not just a username and password but also a second factor, in this case, a dynamic one-time six-digit security code generated by a user's VIP credential. Traditional strong authentication solutions required enterprises to deploy and manage costly IT infrastructure, now enterprises can utilize a VeriSign hosted service to obtain strong authentication. With VIP, enterprises can choose from a variety of credentials for delivering one time passwords including freely available credentials for mobile devices and PCs as well as standalone security devices from industry leading vendors.
"As mobile devices become the preferred way for communicating, banking, social networking and accessing rich media content, the need for enhanced logon and transaction security is greater than ever," said Kerry Loftus, vice president of User Authentication at VeriSign. "VeriSign Identity Protection provides enterprises and consumers the tools to access a very cost-effective cloud-based security solution built to foil the criminal efforts of hackers, identity thieves and fraudsters. With the free VIP Access for Mobile application available on more and more mobile devices worldwide, the protective net of VIP Authentication is spreading."
VIP Access for Mobile and VIP Authentication Service have won several global industry awards including, the Information Security Magazine and SearchSecurity.com 2009 Readers' Choice Gold Award, the eWeek Product to Watch for 2009, the Network World Asia 2009 Readers' Choice Award for Best Identity Management Suite, and the 2009 Network Products Guide Award in the Best in Multi- and Second-Factor Authentication category. VeriSign was also recently named as a finalist for the 2010 SC Magazine Awards in the categories of: Best Identity Management Solution, Best Multi and Second-Factor Solution, Best Security Software Development Solution and Best Web Application Security Solution.
About VeriSign
VeriSign, Inc. (NASDAQ: VRSN) is the trusted provider of Internet infrastructure services for the networked world. Billions of times each day, VeriSign helps companies and consumers all over the world engage in communications and commerce with confidence. Additional news and information about the company is available at www.verisign.com.
Statements in this announcement other than historical data and information constitute forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 as amended and Section 21E of the Securities Exchange Act of 1934 as amended. These statements involve risks and uncertainties that could cause VeriSign's actual results to differ materially from those stated or implied by such forward-looking statements. The potential risks and uncertainties include, among others, the uncertainty of future revenue and profitability and potential fluctuations in quarterly operating results due to such factors as increasing competition and pricing pressure from competing services offered at prices below our prices, market acceptance of our existing services and the current global economic downturn, the inability of VeriSign to successfully develop and market new services, VeriSign's ability to build out its infrastructure in pace with demand, the uncertainty of whether new services as provided by VeriSign will achieve market acceptance or result in any revenues and the uncertainty of the expense and duration of transition services and requests for indemnification relating to completed divestitures. More information about potential factors that could affect the Company's business and financial results is included in VeriSign's filings with the Securities and Exchange Commission, including in the Company's Annual Report on Form 10-K for the year ended December 31, 2008, Quarterly Reports on Form 10-Q and Current Reports on Form 8-K. VeriSign undertakes no obligation to update any of the forward-looking statements after the date of this press release.
2010 VeriSign, Inc. All rights reserved. VeriSign, the VeriSign logo, the checkmark circle, and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc., and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.
I am teaching our Defending Web Applications [1] class this week, and yesterday, one of the students pointed me to a news release about Google implementing two factor authentication for its applications [2].
First of all, the mandatory primer on two factor authentication: Two factors means two authentication method groups. There are typically 3 different groups: Something you know (password), something you have (token), something you are (biometric). If you have for example a laptop login setup via finger print, you are still using single factor unless you also have to enter a password. And of course, two different passwords are not two factor. There is also the problem of users collapsing the tokens, by for example writing the password on the back of the smartcard. Now something you know becomes something you have.
Typically, implementing two factor authentication means buying tokens or smart cards for all of your users. This can be expensive (from what I have seen $50/user is typical in smaller deployments) and it is only manageable for users with whom you have an existing relationship (employees, in some cases customers).
ff7609af8f