I’m a frequent PayPal user and need access to it on the road while logged in to who-knows-how-secure coffee-shop WiFi. Whenever I entered my password, I was hit with the unsettling realization that this could be the time I handed over my credentials to a hacker.

So a few months ago I began using PayPal’s optional out-of-band, one-time password solution. Each time I log in, a random six-digit code is sent to my mobile phone. That code must be entered to complete the login. And while I feel much more secure, the extra 20 to 30 seconds it takes is a hassle, especially after a decade of password-only access (note 1).

To improve the user experience, while maintaining the extra authentication security, I’d like to see PayPal make the following changes: 

• Instead of requiring the user to press the “send SMS” button after logging in, just send the SMS code automatically. I’ve logged in at least a dozen times since enabling this feature and I still forget to press the button. I usually look at my phone for 10 seconds waiting for the code until I remember that I must click the button.
• Allow low-risk transactions to be authorized without the extra SMS code. I bought some iPhone chargers on eBay today for a total of $30. I would have preferred to skip the out-of-band authorization on this low-risk transaction, a small purchase made on eBay through my authenticated eBay account. 

Relevance for Netbankers
The second suggestion (above), what I call “context-sensitive security control,” is an important part of the tradeoff between security and usability. As long as customers are hassled for extra info only when the risk is higher, there’s a much better chance of gaining their cooperation, and attention, in security monitoring. Many banks feed an extra security question when customers log in from an unrecognized computer. That’s a great use of context-sensitive extra security.

Another situation where context-sensitive security controls can be deployed is for determining when an account is locked for excessive login attempts. If a user is logging in from a recognized computer, they should get far more leeway in the number of password attempts before the nuclear option, full lockout, is deployed. Unfortunately for me, Chase Bank has not yet taken this step (notes 2, 3).

————————-

Notes:
1. When we go shopping for a new business-banking relationship, out-of-band authorization capabilities will be a non-negotiable requirement.
2. Yesterday, Chase locked me out, without warning, after just 4 attempts (or was it 3?) from my main computer, which the bank knows very well. That’s ridiculous, from a recognized computer I should be able to try at least 7 or 8 times. I have multiple Chase accounts with different usernames and passwords and with a typo or two it’s easy to surpass 3 or 4 attempts.
3. Yes, I’ve whined about this before, but it’s been 3 years, so I was due.