PayPal’s top security official is on a quest to kill passwords.
“Our intention is to really obliterate, within a certain number of years, both passwords and PINs and see the whole Internet—including internally in enterprises—obliterate user IDs and passwords and PINs from the face of the planet.”
That’s what Michael Barrett, chief information security officer at PayPal, told the network industry today at the Interop conference in Las Vegas. Barrett’s second job is as president of the FIDO Alliance, a recently unveiled consortium trying to create an open standard that could replace passwords. Google, Lenovo, and other companies have representatives on FIDO’s board of directors.
FIDO, which stands for Fast Identity Online,
sounds like the name one would give to a dog
would work by requiring users to authenticate to their smartphone or other personal device, which then authenticates to a website (such as PayPal) using FIDO’s protocols.
“There is a FIDO client or a FIDO stack that has to be on the device concerned,” Barrett said. “That piece of software, think of it as a shim, knows how to talk the FIDO protocol back to the relying parties’ server. Say you show up to PayPal.com once PayPal becomes FIDO-enabled, which we’re in the process of doing. Once you come to our site, we will ping the device.”
The device will then enumerate to the user the ways in which it can support authentication, from fingerprint sensing to eye scans.
“For most people, they authenticate to a very small set of devices. The notion is you authenticate to your device and the device authenticates securely to a [website],” Barrett said. “The credentials that authenticate you to your device are stored securely in the device and do not leave it.”
Do you really want your refrigerator to know your PayPal password?
The so-called “Internet of things” adds another wrinkle. Barrett talked about development of refrigerators that can sense what food is inside them and automatically order replacement groceries. Perhaps such technology will be commonplace in a few years—and your refrigerator will need a way to pay for food.