Feeds

PayPal security boss: OBLITERATE passwords from THE PLANET

Get used to fingerprint, eyeball scanners, warns exec

Internet Security Threat Report 2014

PayPal has declared war on the password - and wants a better way for folks to perform open sesame on their own internet accounts.

Speaking at the Interop security conference in Las Vegas yesterday, Michael Barrett, chief information security officer at PayPal, talked about his work to create an open standard that could remove the need for passwords.

As well as working for the online cash handler, Barrett is president of the Fast Identity Online (FIDO) Alliance, which aims to devise ways to break netizens' reliance on memorising strong passwords.

During a keynote speech at Interop, Barrett said: "Our intention is to really obliterate, within a certain number of years, both passwords and PINs and see the whole internet — including internally in enterprises — obliterate user IDs and passwords and PINs from the face of the planet."

The FIDO solution works by using an authentication device that connects to websites to verify a person's identity. These devices could be USB keys, fingerprint sensors or embedded hardware, and require some user interaction, such as swiping a card, stroking their finger over a sensor or scanning their eyes.

"There is a FIDO client or a FIDO stack that has to be on the device concerned," Barrett added (perhaps momentarily confusing anyone old enough to remember the unrelated Fido BBS).

"That piece of software knows how to talk the FIDO protocol back to the relying parties' server. Say you show up to PayPal.com once PayPal becomes FIDO-enabled, which we're in the process of doing. Once you come to our site, we will ping the device."

After this initial communication, the user is then told what sort of input is needed to verify their identity.

"For most people, they authenticate to a very small set of devices. The notion is you authenticate to your device and the device authenticates securely to a [website]," Barrett continued. "The credentials that authenticate you to your device are stored securely in the device and do not leave it."

Single-factor authentication using a password is a fairly weak way to protect highly sensitive information - on top of hackers raiding corporate password databases for hashes to crack or unprotected passphrases to swipe, people really aren't helping themselves by using flimsy login secrets: the most used password of 2012 was revealed to be simply "password". ®

Intelligent flash storage arrays

More from The Register

next story
Azure TITSUP caused by INFINITE LOOP
Fat fingered geo-block kept Aussies in the dark
NASA launches new climate model at SC14
75 days of supercomputing later ...
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
Cloud unicorns are extinct so DiData cloud mess was YOUR fault
Applications need to be built to handle TITSUP incidents
BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
Don't worry about that cable, it's part of the config
Stop the IoT revolution! We need to figure out packet sizes first
Researchers test 802.15.4 and find we know nuh-think! about large scale sensor network ops
DEATH by COMMENTS: WordPress XSS vuln is BIGGEST for YEARS
Trio of XSS turns attackers into admins
SanDisk vows: We'll have a 16TB SSD WHOPPER by 2016
Flash WORM has a serious use for archived photos and videos
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.