Sign in with
Sign up | Sign in

PayPal Exec Wants to Obliterate Passwords

By - Source: MacWorld | B 15 comments

PayPal's CIO says the password's days as an authentication system are numbered.

If you spend any amount of time online, you'll know just how important passwords are. But are they on the way out? PayPal's chief information security officer Michael Barrett wants to remove the need for passwords completely. Aside from working for PayPal, Barret also works as the president of the Fast IdentityOnline (FIDO) Alliance, an organization that hopes to revolutionize authentication with a new, more secure protocol.

According to MacWorld, Barret believes that our widespread use of passwords is making them less secure. Because people tend to reuse passwords rather than remembering a different one for every service they visit, Barret says a user is really only as secure as the least secure place they go online. Furthermore, he wants passwords to die off.

"Users will pick poor passwords and then they'll reuse them everywhere," Barrett is quoted as saying at Interop late last week. "That has the effect of reducing the security of their most secure account to the security of the least secure place they visit on the internet."

FIDO is hoping to eliminate the need for passwords using a combination of hardware, software and the internet. More specifically, FIDO offers a range of solutions incorporating finger print readers, hardware tokens, and USB memory sticks as well as special software. This token verifies your identity and the software relays the FIDO protocol back to whatever website you're trying to access.

 

"For most people, they authenticate to a very small set of devices. The notion is you authenticate to your device and the device authenticates securely to a [website]," Barrett is quoted by The Register as saying. "The credentials that authenticate you to your device are stored securely in the device and do not leave it."

Barrett says we'll start seeing FIDO-enabled devices starting this year. However, it will likely be a while before the protocol becomes widespread enough to kill off the common password. Until then, the best thing you can do is use different passwords for every account, set up two-step verification where ever possible, and change your passwords often.

Further Reading

MacWorld

The Register

Display 15 Comments.
This thread is closed for comments
  • 7 Hide
    aracheb , May 13, 2013 12:48 PM
    this look like a cross of interest here, doesn't look like he want to eliminate the password because is creating problem; this look like he want to favor his personal company while pushing paypal and the user to buy his personal company crap.
  • -6 Hide
    aracheb , May 13, 2013 12:51 PM
    this look like a cross of interest here, doesn't look like he want to eliminate the password because is creating problem; this look like he want to favor his personal company while pushing paypal and the user to buy his personal company crap.
  • 0 Hide
    fudoka711 , May 13, 2013 12:57 PM
    Yes, it could be a conflict of interest (not cross), but he does have a point when he talks about people using dumb passwords and then using the same or similar ones across all their accounts. I don't really know if his mentioned method(s) are the best alternatives for the future, but something should be done.
  • 2 Hide
    everlast66 , May 13, 2013 1:15 PM
    With such executives at the helm, customers might obliterate PayPal by using their feet.
  • -2 Hide
    InvalidError , May 13, 2013 1:19 PM
    Someone steals your computer or mobile device and gains access to all your services if he manages to break the password on it... thanks but no thanks. As much as I hate having to manage passwords, I'll stick with passwords. It gets even worse if the lost/stolen device happened to be your registered account recovery method.
    With most sites remembering sessions through cookies for a long time, I simply reset passwords instead of trying to remember what I used when I forget. That's more or less like having sites do secondary authentication over SMS.
    Unless the authentication method is something like an RFID implant which makes it nearly impossible to lose or steal, there is no getting away from needing a brain-based verification somewhere along the way.
  • 7 Hide
    royalcrown , May 13, 2013 1:52 PM
    "There will naturally be a small fee increase to cover the migration to this new system"..we are constantly looking for ways to squeeze more fees, er enhance customer service...blah blah
  • 2 Hide
    DRosencraft , May 13, 2013 2:38 PM
    There is no such thing as a perfectly secure system. The flaw with this idea is that rather than penetrating an individual's password through whatever method, the criminal attacks the system that controls the authentication and verification process. If anything I would imagine this helps such criminals since they can focus on hacking a single point of entry and potentially gain access to thousands of accounts at once, as opposed to an effort at snooping into a number of individual accounts. But I can't say I understand the idea perfectly, so I could be missing something. It just seems to me to be misplaced efforts on security. Focus on keeping hackers out of the existing systems and educating the public on better password use and protection. I don't want to be giving some web-store my fingerprints just so I can buy something from them.
  • 0 Hide
    Lochal , May 13, 2013 3:53 PM
    I think you all missed the point. This isn't about a device signing in for you. This is about you authenticating to a device and that replaces the password. You still have to give some unique identification it just isn't a password. An example would be I want to sign into my bank account online so I have to have my finger print reader read my finger print and send that as authentication to the Bank application. Is it fool proof? No but is better than a password.
  • 0 Hide
    anxiousinfusion , May 13, 2013 4:42 PM
    This will only add yet another standard that users will need to remember to keep track of. XKCD describes this scenario: http://xkcd.com/927/
  • -6 Hide
    PhilipCohen , May 13, 2013 4:56 PM
    Actually, it's PreyPal that needs to be obliterated ...
    Hello MasterCard "MasterPass". Goodbye clunky PreyPal—it has not been nice knowing you ... http://bit.ly/UVXx53
  • 0 Hide
    Steven Travis , May 13, 2013 6:32 PM
    Or you could use a password with a token (such as is provided by google authenticator and others) and that is better than any single point security system.
    I think Paypal tried the two factor authentication but it just wasn't as seamless as it is with Google and MS.
  • 0 Hide
    viometrix , May 13, 2013 7:44 PM
    Id like to see where this is going, i think a combo tpm fingerprint reader will do nicely
  • 0 Hide
    g00fysmiley , May 14, 2013 5:45 AM
    Why not do what some mmorpg's do and use option for an authenticator, apps for smarphones and maybe even regular cell phones that have random number sequence generation and keep modifying form there, makes it almsot impossible to hack. winwin, very secure and people alreayd have the hardware... this guy seems to jsut want to make money selling his toys
  • 0 Hide
    slomo4sho , May 14, 2013 10:04 AM
    People still use PayPal even though there are much better options available without the lousy customer service that PayPal known for?
  • 0 Hide
    targetdrone , May 14, 2013 11:00 AM
    Wasn't RSA hacked a few years ago and didn't have they have to replace some 40 million fobs as a result?
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter