I have a PayPal account and I have been using the PayPal security key for a while. The PayPal security key is a little key fob which generates a random 6-digit sequence every 30 seconds or so. You use it together with your password when you log in to your PayPal account. This provides the so-called two-factor authentication which is more secure than just a user name and a password. People who work in the corporate world use the same kind of device also known as a security token or RSA SecurID for accessing the corporate network through VPN. E*Trade also gives this kind of security device to its customers (link).
The PayPal security key has worked well for me. The only thing is it’s a separate thingy I have to keep in my bag. Imagine if all banks, brokerage firms and credit card companies start issuing these. I will have like 10 of them. Finding the right one will become a challenge. Recently PayPal started offering a mobile security key service. For a one-time setup, you enroll your cell phone for this service. You enter your cell phone number. PayPal sends a random code to your phone via SMS text message. You confirm the random code and prove that you own the phone. Next time when you log in, after you put in your password, PayPal will ask you for a security code. You click on a button and let them send a security code to your enrolled cell phone by text message. You check the text message on your phone, enter the code, then you are in. If somebody stole or guessed your password but they don’t have your cell phone, they still can’t get in. I tried the mobile security key and it worked smoothly. I get a text message in about 2 seconds after I click on the button on PayPal. With the mobile security key, I won’t have to keep my hardware key handy because I always have my cell phone with me.
PayPal doesn’t charge anything for sending the text message, but if your cell phone company charges you $0.20 for each incoming text message, it will cost you $0.20 every time you log in to PayPal. In such case you are better off getting the hardware security key which costs $5 including shipping but it’s just one-time. The mobile security key service works the best if you have unused text message allowance with your cell phone plan or if you don’t log in to your PayPal account more than a few times a year.
Bank of America also has a similar “security code by text message” service, which they call SafePass.
To add security key to your account, log in, and then go to Profile -> PayPal Security Key. Choose either the hardware security key or enroll your phone for the mobile security key service. Even if you have to pay a few bucks for the hardware key, I think it’s worth it for the peace of mind.
Set up the security key: