PayPal Security Key. How does it work?

PayPal sent me an offer for a small digital security key. It generates a 6 digit number, apparently good for 30 seconds (or it changes after 30 sec…not sure).

I use it to sign into both eBay and PayPal, along with the regular user name and password. So far, it’s worked fine. But what happens when the battery dies?

The PayPal web site is pretty vague on just what happens, other than send them $5 and they send you one of the keys, postage paid.

I’m curious about the technology behind it. Is this some kind of time-based calculation? (I really want to type “algorithm”, but that makes me think of Al Gore…)


I believe PayPal offers SecureID hardware tokens.

Flash demo:

How does it work? In simple terms, the device uses an algorithm for which the inputs are 1. Time and 2. a key unique to your hardware (e.g. hardware serial number). The output of this combination is the resulting token number. The server uses the same two inputs, and therefore has the same output. If the outputs match, authentication is successful.

See also:,guid,62f14e36-5aaf-4b2a-b470-733fdfcf7e9b.aspx


Thank you. That’s pretty much what I thought. I just wan’t sure how the time factor figured in. Still, kinda a cool gizmo…


It has been a long day. That “wan’t” in the previous post is missing an “s”, and should read “wasn’t.”

My apologies to sharp-eyed readers that offends. Not my first mistake, probably not my last (unless I die tonight).



In case you’re still unclear about how time is factored in (and if you’re already clear, then for the benefit of others reading this thread)…

Let’s assume for simplicity’s sake, that we have:

  1. Input 1 (Time)
  2. Input 2 (Serial Number)
  3. Algorithm

All 3 of which are available to the device. Time is constantly changing, but at any given instance the current value is available as Input 1. Serial Number does not change and the value is also available. The algorithm is programmed into the device.

Now, let’s assume that the algorithm is something as simple as “Add Input 1 to Input 2, then multiply by 5 and add 250 to the result” (it’s not really this simple, it’s actually AES encryption)

Let’s say the time on the device is currently 01:00:53 on Sunday July 13, 2009. This can be stored as “20090713010053” (note that this is not really how computers store time, but I’m just using this for illustration purposes). So, Input 1 = 20090713010053

Now, let’s assume Input 2 (Serial Number for your specific hardware unit) is “44893271231987”

Input 1 = 20090713010053
Input 2 = 44893271231987

Algorithm = (((Input 1 + Input 2) x 5) + 250)

Result = ((((20090713010053 + 44893271231987) x 5) + 250)
Result = 324919921210450 (this is what displays on your unit)

The server uses the same inputs and algorithm to reach the same result. The authentication server compares what you see on your unit to what it calculated.