Feeds

PayPal security boss: OBLITERATE passwords from THE PLANET

Get used to fingerprint, eyeball scanners, warns exec

Remote control for virtualized desktops

PayPal has declared war on the password - and wants a better way for folks to perform open sesame on their own internet accounts.

Speaking at the Interop security conference in Las Vegas yesterday, Michael Barrett, chief information security officer at PayPal, talked about his work to create an open standard that could remove the need for passwords.

As well as working for the online cash handler, Barrett is president of the Fast Identity Online (FIDO) Alliance, which aims to devise ways to break netizens' reliance on memorising strong passwords.

During a keynote speech at Interop, Barrett said: "Our intention is to really obliterate, within a certain number of years, both passwords and PINs and see the whole internet — including internally in enterprises — obliterate user IDs and passwords and PINs from the face of the planet."

The FIDO solution works by using an authentication device that connects to websites to verify a person's identity. These devices could be USB keys, fingerprint sensors or embedded hardware, and require some user interaction, such as swiping a card, stroking their finger over a sensor or scanning their eyes.

"There is a FIDO client or a FIDO stack that has to be on the device concerned," Barrett added (perhaps momentarily confusing anyone old enough to remember the unrelated Fido BBS).

"That piece of software knows how to talk the FIDO protocol back to the relying parties' server. Say you show up to PayPal.com once PayPal becomes FIDO-enabled, which we're in the process of doing. Once you come to our site, we will ping the device."

After this initial communication, the user is then told what sort of input is needed to verify their identity.

"For most people, they authenticate to a very small set of devices. The notion is you authenticate to your device and the device authenticates securely to a [website]," Barrett continued. "The credentials that authenticate you to your device are stored securely in the device and do not leave it."

Single-factor authentication using a password is a fairly weak way to protect highly sensitive information - on top of hackers raiding corporate password databases for hashes to crack or unprotected passphrases to swipe, people really aren't helping themselves by using flimsy login secrets: the most used password of 2012 was revealed to be simply "password". ®

Security for virtualized datacentres

More from The Register

next story
Just don't blame Bono! Apple iTunes music sales PLUMMET
Cupertino revenue hit by cheapo downloads, says report
The DRUGSTORES DON'T WORK, CVS makes IT WORSE ... for Apple Pay
Goog Wallet apparently also spurned in NFC lockdown
IBM, backing away from hardware? NEVER!
Don't be so sure, so-surers
Hey - who wants 4.8 TERABYTES almost AS FAST AS MEMORY?
China's Memblaze says they've got it in PCIe. Yow
Microsoft brings the CLOUD that GOES ON FOREVER
Sky's the limit with unrestricted space in the cloud
This time it's SO REAL: Overcoming the open-source orgasm myth with TODO
If the web giants need it to work, hey, maybe it'll work
'ANYTHING BUT STABLE' Netflix suffers BIG Europe-wide outage
Friday night LIVE? Nope. The only thing streaming are tears down my face
Google roolz! Nest buys Revolv, KILLS new sales of home hub
Take my temperature, I'm feeling a little bit dizzy
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.