Now you can "Log-In with PayPal"

[kyrathaba]

http://thenextweb.com/insider/2013/04/30/paypal-launches-login-with-paypal/

You know how you can sign into sites using your Twitter, LinkedIn, Google or Facebook accounts? PayPal just launched something called "Log In With PayPal...

PayPal is rolling out a new identity solution designed to help streamline the mobile shopping experience. Unveiled at the Future Insights conference in Las Vegas, the payment company is launching Log In With PayPal. With this service, developers and third-party commerce sites can easily help shoppers pay for what they want with as few swipes and information needed — but still in a secure environment.

Log In with PayPal is not PayPal’s competitor to Facebook Connect or Google+ Sign In. However, it does leverage the OAuth 2.0 protocol that Facebook uses to authenticate users. The idea is that the company’s 128 million account holders can simply complete their purchase through the use of their username and passsword, or mobile number and PIN as a confirmation of their identity."

[TaoPhoenix]

Wow, this is really becoming the "Teh New Hotne$$". Twitter has a decent reputation with me, having passed a "privacy standards survey" recently. Those other companies are all known for highly unclear privacy abuses! Now look who joins the party - Paypal!?
 

And it feels different this time, that they won't (very many of them) just fade away, they're getting "locked in" to the tech landscape. So someone somewhere definitely earned their consulting fees! But it's at the expense of the "freedom" of computing!

[Stoic Joker]

I can't help but wonder if these "Identity Solutions" don't make it easier to steal someone's identity. I mean look at the prevailing wisdom of not reusing passwords...how is this (global use identity account thing) really any different then using the same username and password for all of the shopping sites you've been to?

Frankly, it strikes me as being worse because at least with (granted incredibly foolish) reuse of passwords an ID thief is still restricted to using only the sites you've gone to. With this new "improvement" the thief can just go anywhere that accepts the service. All of the guesswork to see where your silly ass has setup a now exploitable account is totally eliminated.

[kyrathaba]

My guess is that Pay-Pal's "Log Me In" will probably be a sight better in terms of security than the others, given the nature of Pay-Pal's business model and their already-in-use encryption and other security measures. However, the only log-me-in I've used is Facebook's. And only for site's where security isn't paramount (Goodreads, for example).

[Stoic Joker]

My guess is that Pay-Pal's "Log Me In" will probably be a sight better in terms of security than the others, given the nature of Pay-Pal's business model and their already-in-use encryption and other security measures. However, the only log-me-in I've used is Facebook's. And only for site's where security isn't paramount (Goodreads, for example).

-kyrathaba (May 01, 2013, 11:38 AM)

No no ... I wasn't trying to critique their ability to secure the service properly. I'm just pondering aloud the strategic wisdom in using that type of (SSO) service. Doesn't matter if it's PP, FB, or MS Live ... If the reward for breaching the target is that great - due to the ubiquitous nature of the exposure - It just strikes me as a dangerously tempting target.

[wraith808]

It just strikes me as a dangerously tempting target.

-Stoic Joker (May 01, 2013, 11:45 AM)

This.  And anything can be broken given the time and effort- the reward just has to make it worth it. Linking any login to a financial entity = bad idea IMO.

[kyrathaba]

Linking any login to a financial entity = bad idea IMO.

Absolutely! And the log-me-in services should have a detailed blacklisting of financial institution URLs and refuse to allow their services to interact with such sites, IMHO.

@StoicJ: I agree with you in questioning the strategic wisdom of using SSO services in that way.

[barney]

Last time I looked - been a while - oAuth didn't seem all that secure to me.  But, I'm sure as Hell not gonna log in with financial username/password.  I've been called - and probably was - a fool before, but not that big a fool  .

[mouser]

As others have said, I don't see people using this.  However secure it may be, who is going to want to risk connecting to their financial institution login more than they have to.

On the other hand -- for years paypal has provided a super-easy-to-use, free security key hardware device which provides a serious and real extra layer of security to logging into their site.  They are way ahead of the banks in this regard and it's a genuinely excellent security enhancement.  I don't know why we haven't more use of such devices.  A single-login system that supported such hardware keys would be quite useful.

[Gary87zx]

Bad idea.

PayPal has a bad habit of capriciously and permanently looking out accounts and refusing to tell why. The happened to me about 15 years ago. As best I could determine, they banned a site and *everyone* who had ever bought from that site. I was an avid eBay purchaser then and had no idea what caused it or even what site it was.

I'm still locked out. I can use their guest pay but only with a credit card that was never associated with my Paypal account.

To add insult to injury, every time I do so, I get reminded that I have a Paypal account and get a suggestion that I sign in and use my account.

[barney]

On the other hand -- for years paypal has provided a super-easy-to-use, free security key hardware device which provides a serious and real extra layer of security to logging into their site.  They are way ahead of the banks in this regard and it's a genuinely excellent security enhancement.  I don't know why we haven't more use of such devices.  A single-login system that supported such hardware keys would be quite useful.

-mouser (May 14, 2013, 10:37 AM)

It's actually a pretty good idea, but there are downsides.  During my last corporate life, I was working for MCI - before Bernie Ebbers destroyed it - and a number of the senior managers had a credit-card sized device.  They'd log in to some internal Website, be prompted with a code which they then entered into the device.  They would then enter the response code from the device, and be allowed in.  The code/response had to be in a sixty (60) second time frame, or the login was voided.  Three (3) such void instances and they'd be locked out for the {day|week|month} and would be getting a call from the IT security folk.

However, battery life turned out to be a problem, as did the fragility of the device - you couldn't put it a hip wallet, so carrying it was problematic.  And, since it wasn't walletable, those senior managers would oft forget to bring it to work.  Even if they did remember, it was relatively fragile, often got broken.  But they were forbidden to leave it in their office, 'cause anyone who had access to their particular card had access to personnel and financial records that would otherwise have been unviewable.

[wraith808]

I can say from personal experience, that the battery life on these things is ridiculous.  I haven't had to replace mine (for another use... but the same principle) in 2 years.  And just having access to the device doesn't give you access to the account.  It syncs up the secureid with the server, and you enter that and your password.  You have to physically co-opt the person, and get their password.  And you should still not use the same password on different sites.

[cyberdiva]

Linking any login to a financial entity = bad idea IMO.

-wraith808 (May 01, 2013, 12:43 PM)

+1