Feeds

PayPal security boss: OBLITERATE passwords from THE PLANET

Get used to fingerprint, eyeball scanners, warns exec

Application security programs and practises

PayPal has declared war on the password - and wants a better way for folks to perform open sesame on their own internet accounts.

Speaking at the Interop security conference in Las Vegas yesterday, Michael Barrett, chief information security officer at PayPal, talked about his work to create an open standard that could remove the need for passwords.

As well as working for the online cash handler, Barrett is president of the Fast Identity Online (FIDO) Alliance, which aims to devise ways to break netizens' reliance on memorising strong passwords.

During a keynote speech at Interop, Barrett said: "Our intention is to really obliterate, within a certain number of years, both passwords and PINs and see the whole internet — including internally in enterprises — obliterate user IDs and passwords and PINs from the face of the planet."

The FIDO solution works by using an authentication device that connects to websites to verify a person's identity. These devices could be USB keys, fingerprint sensors or embedded hardware, and require some user interaction, such as swiping a card, stroking their finger over a sensor or scanning their eyes.

"There is a FIDO client or a FIDO stack that has to be on the device concerned," Barrett added (perhaps momentarily confusing anyone old enough to remember the unrelated Fido BBS).

"That piece of software knows how to talk the FIDO protocol back to the relying parties' server. Say you show up to PayPal.com once PayPal becomes FIDO-enabled, which we're in the process of doing. Once you come to our site, we will ping the device."

After this initial communication, the user is then told what sort of input is needed to verify their identity.

"For most people, they authenticate to a very small set of devices. The notion is you authenticate to your device and the device authenticates securely to a [website]," Barrett continued. "The credentials that authenticate you to your device are stored securely in the device and do not leave it."

Single-factor authentication using a password is a fairly weak way to protect highly sensitive information - on top of hackers raiding corporate password databases for hashes to crack or unprotected passphrases to swipe, people really aren't helping themselves by using flimsy login secrets: the most used password of 2012 was revealed to be simply "password". ®

Eight steps to building an HP BladeSystem

More from The Register

next story
Sysadmin Day 2014: Quick, there's still time to get the beers in
He walked over the broken glass, killed the thugs... and er... reconnected the cables*
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
SHOCK and AWS: The fall of Amazon's deflationary cloud
Just as Jeff Bezos did to books and CDs, Amazon's rivals are now doing to it
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.