You know where I’m going with this right? (I can see Robert holding his head in his hands right now)

So eweek and others have reported that PayPal are going to stop the use of "unsafe" browsers, those that don’t include anti-phishing protection or support for EV certificates. Setting aside the kneejerk "They can’t do that" arguments on Slashdot (of course they can, it’s their web site) it would be interesting to see if Paypal stick to their guns as Safari users would get locked out. It makes sense; Paypal is one of the most commonly spoofed web sites with numerous spam messages telling users their passwords need reset.

Paypal already publishes SPF records, which email providers could use to filter fake @paypal.com emails; which is a good start (well it would be if more email servers would actually check the SPF details). Last January PayPal announced two factor authentication in the shape of a Verisign one-time password device which users could purchase for $5 (and only for users in the US). In November someone noticed that the one-time password was being ignored and you could simply use any 6 digit number.

Like I said, you know where I’m going with this. It’s hard to describe information cards to someone who doesn’t know about them (I was trying to describe it to someone at Microsoft this week who had sat down with the CardSpace marketing person [I know, I’m as surprised as you are] and still couldn’t understand it). I sometimes liken it to mid-way between username/password and a hardware token solution. To me this is an obvious next step for PayPal to take; they could issue their own managed information cards, thus controlling the authentication and authorisation without the need for expensive, hard to manage hardware. There is even a Safari plugin for Mac users.

Do I believe it will happen? I’d love to, I really would; but truth be told I doubt it. MS should be jumping in there, offering to help; but Information Cards make no money. It’s a "for the greater good" effort and MS do not have a stellar history in that arena. We’ll see; but I would put money on PayPal acting like plip and saying "Card What?"