Become a VIP for free (and get secure on the web)
A little while ago I put out a plea for stronger authentication for Google Apps, and it seems that my wish has been granted with Tricipher launching their myOneLogin for Google Apps[1]. I had tried myOneLogin before, and frankly wasn’t too impressed. This time things are different though, the issues I’d seen before with Chrome compatibility and general fiddlyness seem to have been fixed, but best of all is the use of a proper strong (soft) token, in the shape of VeriSign VIP Access for Mobile.
I first came across VIP when I saw the news that Verisign and PayPal had teamed up to do a deal on tokens. I wanted one, even if it was going to cost a few quid, but they were initially only available in the US, and I heard nothing more about them. Did the marketing guys lose interest, or did the phishing problem go away, or did something else come along? It turns out that eBay/PayPal will sell you a VIP hard token (a device with a button on it to generate one time passkeys [OTPs]) for $5/£3, but why bother when you can use a free mobile token on your BlackBerry/iPhone/whatever? The soft tokens can be used in a variety of other places, which begs the question of why other sites aren’t jumping on the bandwagon, and why nobody seems to be pushing this? Part of the answer might be the funding model; I’m not sure how Verisign are getting paid for this stuff, but I’m sure they’re not running their service as a charity for the web.
[1] Premier Edition only, as it needs SAML support
Filed under: identity, security | 2 Comments
Tags: authentication, google, identity, saas, security, strong authentication, tricipher, verisign, vip
Subscribe
Recent Comments
Tim Coote on Ross Anderson RIP iain on Skiing in Espace Killy (Val… Chris Swan on Getting more from a British Ga… Murray Cowell on Getting more from a British Ga… JL on AI MacGuffin 
Pinboard.in bookmarks- Commission proposes youth mobility between EU and UK
- DEA fuels moral panic over ADHD meds to justify its failed drug war
- Meta.ai Oh My!
- Looking for AI use-cases — Benedict Evans
- the biggest threat facing your team
- Why has Hugh Grant settled his phone hacking claim against the Sun?
- Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects
- AI isn't useless. But is it worth it?
- Pluralistic: The true post-cyberpunk hero is a noir forensic accountant
- Subaru battery drain due to missing 3G network
Chris Swan's Weblog 
“The soft tokens can be used in a variety of other places, which begs the question of why other sites aren’t jumping on the bandwagon, and why nobody seems to be pushing this?”
I work for VeriSign and, speaking from behind the scenes, I have to agree. The VIP tokens are particularly relevant in light of the recent Hotmail & etc credential leak; if these sites allowed you to use two factor authentication to sign in these leaks would be useless. It’s great that google apps is finally providing this for enterprise customers, but as the webmaster of my own small site I’d like to see it implemented across the board.
Have you received/tried the token out yet? Any thoughts?
I’ve not got a hard token, but I’ve used the BlackBerry soft token a few times for Google Apps in test mode (I still need to get the rest of the company up and running, and satisfy myself that offline works OK etc.). For eBay and PayPal I’m now fully cut across.