But the big question is will they accept you knowing the number as proof you exist instead of having to fax copies of your utility bill at 3:30am to get your account unlocked?

Somehow I don't think so.

Kevin, I think you might be wrong there. RSA's website stays they sell SecurID. http://www.rsasecurity.comnode.asp?id=3051

This would guard against those emails, because the phisher would need the number from the device to log in and clean out the account. Since that number changes every 30 seconds, he would have to prompt for the magic number on the fake login phishing page, then manage to log in to paypal within 30 seconds after the user was phished. Since the magic number keeps changing, he won't be able to log in more than once.

Or, they can just email members and say "Don't be a damn idiot! Dont log in through emails! Log in through the Paypal home page!"

And save lots of time and effort.

Unless, of course, they are turning a profit from these stupid devices.

This would guard against those emails, because the phisher would need the number from the device to log in and clean out the account. Since that number changes every 30 seconds, he would have to prompt for the magic number on the fake login phishing page, then manage to log in to paypal within 30 seconds after the user was phished. Since the magic number keeps changing, he won't be able to log in more than once.

For those who don't know, the token works by running a unique random seed value and a timestamp value through an algorithm to generate a key number that changes every 60 seconds. The clock inside the token is accurate enough to stay synced for years, so the auth server runs the same algorithm the token runs to compare the key and return a pass/fail.

Every implementation I've seen combines the token's code with a standard password - this is what is called "two-factor" authentication, the factors being something you know (your account number and password) and something you possess (the token). This lowers the possibility of someone accessing your account if they steal your SecurID (much like ATM card + PIN auth systems).

An ideal solution to the four-tokens-on-my-keychain problem would be a centralized SecurID authentication service, so that one could carry a single token to authenticate with any client site. However, I doubt the sites themselves trust a single outside party enough for this to ever gain traction (remember Windows Passport?). But if this does happen I will be a happy man indeed.

I've dealt with these tokens for various security things with companies I've done work for. Pain in the ass. Paypal should be paying us for using them.

From what I know, the biggest security problem is those emails that say, "You need to log in to verify something!"

I find this a bit unnessicary.