I first read about security tokens for PayPal about a year or so ago and I was quite excited. I really like PayPal, but have had at least one friend who had their account hacked. At the time, however, the security token wasn't available in Canada. :(
You can imagine my delight, then, when I got an email last week from PayPal Canada's PR firm letting me know that they were now available in Canada. W00t! They offered to send me a token to try.
Once I got the token and tried to set it up, I did have the tiniest little glitch. The action screen had 3 pictures on it. I chose the picture of the token I had. I then got caught in this infinite loop: "You don't have a key; order a Key. I don't want to order a key; I have a key. You don't have a key; order a key. I don't want to ORDER a key; I HAVE a key." (It was very Escheresque - PayPal usability people take note!).
But then I read the copy (no one reads when there are pictures) and figured it out.
The idea behind the tokens is that they provide an additional security challenge when logging into your account. In addition to needing your login and password, they generate a random 6-digit number that is also required for logging in.
In order to register your token, you just input the ID code on the back of the token along with two subsequent random keys it generates. That verifies the key and it's tied to your account.
Then, when you want to use your PayPal account, after you've input your login and password, you are prompted for the latest 6-digit number from your token.
Once you enter that correctly, you have access to your PayPal account as usual.
You can also get 6-digit codes sent to your mobile device via SMS if you don't want to mess with the token. You just register your phone number and the 6-digit code is sent there.
Finally, if register for either of these services, but happen to be caught without your token or phone, you can still use your account - PayPal just asks you an additional series of questions that (in theory) only you know the answers to to verify your identity.
More info about the security token and SMS codes can be found on PayPal Canada's security page. The tokens are only $5!
One question I did have is whether or not you can use the same token on multiple accounts. I have both a business and a personal PayPal account - it would be super handy if I could register the same token to both. They don't mention this is the FAQ; I've got a question into the PayPal folks.
Update: I got an answer back from the PayPal folks - you do have to have a separate token for each account. I'm going to try the SMS option with my business account and see how that works.