PayPal's CIO says the password's days as an authentication system are numbered.
If you spend any amount of time online, you'll know just how important passwords are. But are they on the way out? PayPal's chief information security officer Michael Barrett wants to remove the need for passwords completely. Aside from working for PayPal, Barret also works as the president of the Fast IdentityOnline (FIDO) Alliance, an organization that hopes to revolutionize authentication with a new, more secure protocol.
According to MacWorld, Barret believes that our widespread use of passwords is making them less secure. Because people tend to reuse passwords rather than remembering a different one for every service they visit, Barret says a user is really only as secure as the least secure place they go online. Furthermore, he wants passwords to die off.
"Users will pick poor passwords and then they'll reuse them everywhere," Barrett is quoted as saying at Interop late last week. "That has the effect of reducing the security of their most secure account to the security of the least secure place they visit on the internet."
FIDO is hoping to eliminate the need for passwords using a combination of hardware, software and the internet. More specifically, FIDO offers a range of solutions incorporating finger print readers, hardware tokens, and USB memory sticks as well as special software. This token verifies your identity and the software relays the FIDO protocol back to whatever website you're trying to access.
"For most people, they authenticate to a very small set of devices. The notion is you authenticate to your device and the device authenticates securely to a [website]," Barrett is quoted by The Register as saying. "The credentials that authenticate you to your device are stored securely in the device and do not leave it."
Barrett says we'll start seeing FIDO-enabled devices starting this year. However, it will likely be a while before the protocol becomes widespread enough to kill off the common password. Until then, the best thing you can do is use different passwords for every account, set up two-step verification where ever possible, and change your passwords often.