Feeds

PayPal security boss: OBLITERATE passwords from THE PLANET

Get used to fingerprint, eyeball scanners, warns exec

Secure remote control for conventional and virtual desktops

PayPal has declared war on the password - and wants a better way for folks to perform open sesame on their own internet accounts.

Speaking at the Interop security conference in Las Vegas yesterday, Michael Barrett, chief information security officer at PayPal, talked about his work to create an open standard that could remove the need for passwords.

As well as working for the online cash handler, Barrett is president of the Fast Identity Online (FIDO) Alliance, which aims to devise ways to break netizens' reliance on memorising strong passwords.

During a keynote speech at Interop, Barrett said: "Our intention is to really obliterate, within a certain number of years, both passwords and PINs and see the whole internet — including internally in enterprises — obliterate user IDs and passwords and PINs from the face of the planet."

The FIDO solution works by using an authentication device that connects to websites to verify a person's identity. These devices could be USB keys, fingerprint sensors or embedded hardware, and require some user interaction, such as swiping a card, stroking their finger over a sensor or scanning their eyes.

"There is a FIDO client or a FIDO stack that has to be on the device concerned," Barrett added (perhaps momentarily confusing anyone old enough to remember the unrelated Fido BBS).

"That piece of software knows how to talk the FIDO protocol back to the relying parties' server. Say you show up to PayPal.com once PayPal becomes FIDO-enabled, which we're in the process of doing. Once you come to our site, we will ping the device."

After this initial communication, the user is then told what sort of input is needed to verify their identity.

"For most people, they authenticate to a very small set of devices. The notion is you authenticate to your device and the device authenticates securely to a [website]," Barrett continued. "The credentials that authenticate you to your device are stored securely in the device and do not leave it."

Single-factor authentication using a password is a fairly weak way to protect highly sensitive information - on top of hackers raiding corporate password databases for hashes to crack or unprotected passphrases to swipe, people really aren't helping themselves by using flimsy login secrets: the most used password of 2012 was revealed to be simply "password". ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ellison: Sparc M7 is Oracle's most important silicon EVER
'Acceleration engines' key to performance, security, Larry says
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
Hey, what's a STORAGE company doing working on Internet-of-Cars?
Boo - it's not a terabyte car, it's just predictive maintenance and that
Troll hunter Rackspace turns Rotatable's bizarro patent to stone
News of the Weird: Screen-rotating technology declared unpatentable
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.