Skip Links

PayPal Says It's Time to Ditch Passwords and PINs

By Thor Olavsrud, CIO
May 09, 2013 07:02 PM ET

CIO - "We have a tombstone here for passwords," Barrett toldthe audience, pointing to a slide with a tombstone for passwordswith the years 1961 to 2013 etched on it.

"Passwords, when used ubiquitously everywhere at Internetscale are starting to fail us," he added.

[Interop Las Vegas 2013 Live Blog]

User Only as Secure as the Least Secure Place They Visit Online

Users now have dozens of accounts online, between emailaccounts, social media accounts, online store accounts and more.Each ostensibly has its own username and password, though Barrettnotes that users have so much trouble coping with the multitude ofusernames and passwords that they tend to reuse the same oneseverywhere they go on the Internet.

Those passwords tend to be poor, he said, pointing to the manypasswords that have been published online as a result of numerousdata breaches over the past five years. Passwords like"12345" and "password" are among the mostcommonly used passwords online.

[Related: HowYour Authentication Scheme Could Hurt Your Business]

"Users will pick poor passwords and then they'll reusethem everywhere," Barrett said. "That has the effect ofreducing the security of their most secure account to the securityof the least secure place they visit on the internet."

FIDO Alliance Pushing Open Authentication Standard

The answer, Barrett said, is to replace the 50-year-old passwordtechnology we rely on with more robust authentication methods.He's the president of the Fast IdentityOnline (FIDO) Alliance, an organization formed two years agowith the goal of revolutionizing online authentication with anindustry-supported, standards-based open protocol that not onlymakes users more secure but is also easy and convenient to use.

The FIDO Alliance protocol allows users a choice ofauthentication method while shifting control to providers who canmake authentication user-transparent and limit the risk of fraud.Essentially, FIDOcombines hardware, software and Internet services.

[Related: CiscoInadvertently Weakens Password Encryption in its IOS OperatingSystem]

When a FIDO Authenticator is connected to an online account, itestablishes a relationship between the Authenticator, the relyingparty and the FIDO Validation Service. Once the relationship isestablished, the Authenticator and the validation service will onlyexchange one time passwords (OTP).

In addition, all browsers on a user's system would have aFIDO plug-in capable of recognizing available FIDO Authenticatorsconnected to the user's system. The Authenticator ValidationService will bind the whole system together, serving as aclearinghouse for token information.

Interest in FIDO Alliance 'Extreme'

Composed of a number of Internet companies, system integratorsand security providers, theFIDO Alliance went public in February. Since that time, Barrettsaid, the level of interest and growth of the organization has been"extreme."

"Passwords are running out of steam as an authenticationsolution," he added. "They're starting to impede thedevelopment of the internet itself. It's pretty clear that wecan't fix it with a proprietary approach."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News