A few days ago PayPal announced that they will be supporting Mobile Access for the PayPal Security Key. This means that to log into their accounts, PayPal users receive a 6 digit security code via a text message. This feature obviously adds an extra layer of security since instead of simply relying on something you know, they now also check for something you have (a mobile phone number). Additionally PayPal have supported security tokens for quite a while, which also produces the a 6 digit security code.
These measures address security issues associated with passwords by introducing an additional secret that is not static. The problem with passwords is that they can be easily copied and abused. Additionally, it is not easy to choose a unique and hard to guess password for each service that you subscribe to. That makes passwords one of the major security nightmares for services such as PayPal and your local bank. Two factor authentication addresses these concerns.
What two factor authentication does not target is web application security flaws. One of the questions that I have been asked when presenting my Surf Jacking research was “but doesn’t the security token prevent stealing other user’s credentials?” The answer to that is that yes it does but that does not prevent this particular attack. If your web application has a security flaw such as Cross Site Scripting then the attacker never needs to get your credentials. Such attacks usually happen after the victim has authenticated by supplying his username, password and secret key. Once clients authenticate to a web application, the web application assigns a session cookie to the web client. Many account hijacking attacks target this behavior by stealing the session cookie rather than the password or the secret 6 digit key. What this means is that at the end of the day, the overall security of a web application does not only rely on strong authentication methods, but also on the security of the web application itself.