Blog: Multi-Factor Authentication

At CoNetrix we've helped many customers implement Multi-Factor Authentication (MFA) over the past year. Most of these implementations have been to support employees working from home or migration to cloud-based services such as Microsoft 365.

Overall I consider MFA to be a positive approach to improving account security and preventing unauthorized access due to phishing or weak passwords. But as MFA becomes more common, are there any "gotchas" that we need to consider?

I recently encountered a situation where a user was getting prompted for an MFA "allow" through a smartphone app when they weren't actively trying to log on. This type of non-interactive login using MFA is potentially dangerous because the user can become desensitized and automatically click "allow" or "approve" without knowing if it's a valid login attempt. Obviously this completely defeats the purpose of using MFA in the first place.

How do we prevent this problem?
- Ensure your MFA solution is configured so it is only used for interactive logins and not background processes or services.
- Train the users they should only see an MFA prompt when they are trying to login, and don't approve logins automatically.
- If the above are not practical or effective, then consider configuring MFA to require the user to enter a code instead of approving through a push alert.

Multi-Factor Authentication is a great solution to provide an additional layer of security to protect our businesses. However like any technology, we need to carefully consider the implementation and how it will affect our employees.


I pay for eBay purchases and, increasingly, purchases at scores of online vendors using PayPal.  Despite using a complex password, given that my checking and credit card accounts are linked to my PayPal account, I was delighted to discover an additional security measure for the sites.  PayPal has offered a Security Key Token (see picture) for some time.  The token generates a one-time security code which is entered into the website after your username and password, providing true dual factor authentication (something you “know” (the username and password) and something you “have” (the token).  The token is available for only $5 but it is just another bulge on my key chain and I don’t use PayPal often enough to lug the token around all the time.

I discovered an iPhone app from VeriSign that generates a one-time security code (just like the token).  VIP Access, according to the VeriSign website, works with PayPal and eBay.  After downloading and installing the app and searching all over the PayPal and eBay’s sites, I could never find a reference to VIP Access, let alone how to configure it to work with my profiles on those sites.  [more]

However, in the course of trying to figure out how to use VIP Access with PayPal and eBay, I discovered you can use your mobile phone to receive a text message with a one-time security code.  You simply login to PayPal as usual, go to your Profile, select PayPal Security Key (under Account Information), select Get security key  and register your cell phone number.  The site will then send you a text message with a code to activate the functionality.

After activation, you will be required to enter your username and password, click a button (Send SMS) which generates a text message with your one-time security code, then enter the security code within 30 seconds.  Note there is a work around if you don’t have your cell phone (in the form of security questions).

I like this option because it provides additional security for my PayPal account without having to carry around a token on my key chain.

UPDATE:  Shortly after this post, I decided to send VeriSign an e-mail about the apparent lack of compatibility between their iPhone app, VIP Access, and PayPal and eBay (see the second paragraph in Part One above).  After hitting “Send”, I went back to the PayPal site for one more look-see.

Clicking on the “Get extra protection with a PayPal Security Key now” link, I was presented with three options:  The PayPal Security Key hardware token, configuring your mobile phone to use text messaging (described above) and the VIP (VeriSign Identity Protection) token.  I had seen the VIP token before and had even clicked on the link.

However, it appeared this was simply a VeriSign-branded hardware token, virtually identical to the PayPal-branded token.  In order to activate the token, it asked for a serial number from the back of the token and two consecutive 6-digit codes generated by the token.  Since I don’t have a physical token and e-mails to PayPal asking about the VIP Access iPhone app were fruitless, I thought I was out of luck.

However, I launched the VIP Access app on my iPhone and noted a “Credential ID” number in addition to the one-time Security Code (with its 30 second countdown clock).  I entered the “Credential ID” number into the “Serial number” field on the PayPal website, entered the security code in the first 6-digit code field, waited for another code to be generated and entered it in the “Next 6-digit code” field and clicked “Activate”.  Low and behold, it worked.  So now, I can either use either the VIP Access iPhone app or have the PayPal site send me a text message containing the security code.

I also found a link on the PayPal site to eBay to configure my VIP “token” to work on eBay.  Configuration was just as on the PayPal site (i.e.  entering the “Credential ID” number in the “Serial number” field.

Visit for a details about VIP Access for mobile phones and for a list of member websites, notably GEICO, AOL and Merrill Lynch, in addition to PayPal and eBay.