PayPal have yet to roll out the PayPal security key worldwide – I picked up mine in Boston at eBay Live! but am still unable to use it in the UK. Now it appears that the two factor authentication (something you know and something you have) may not give the security that was promised.
I wrote about my concerns back in January of this year, two factor authentication was never designed for use on the Internet. Today I’m joined in regarding two factor authentication as flawed by the HSBC Bank.
HSBC have chosen to use what’s known as an out-of-band security solution. Instead of relying on computers and passwords (even if generated by a security key) they will utilise the users mobile phone and a PIN number to authenticate their customers.
Two-factor is not bulletproof  the PC may be compromised and it makes no sense to us to feed information into a compromised channel
HSBC personal internet banking manager Nick Staib
HSBC and eBay.co.uk both sponsor the Get Safe Online campaign backed by the government. If HSBC are questioning the efficacy of security keys for online financial applications it may be time to look for new solutions.
Two factor authentication with the PayPal security key would be a welcome bump to online safety in the UK. The big question is, by the time it’s introduced, will the PayPal security key be redundant?