PayPal Says It's Time to Ditch Passwords and PINs

PayPal CISO Michael Barrett took the keynote stage at Interop today to announce the impending death of passwords and their replacement with more robust authentication protocols based on an open standard. Apple may lead the way with its next iPhone.

LAS VEGAS--Will 2013 be the year we say goodbye to passwords? This morning, Michael Barrett, chief information security officer (CISO) of PayPal, took the keynote stage at Interop here to announce the impending end of passwords.

Ditch Passwords

"We have a tombstone here for passwords," Barrett told the audience, pointing to a slide with a tombstone for passwords with the years 1961 to 2013 etched on it.

"Passwords, when used ubiquitously everywhere at Internet scale are starting to fail us," he added.

User Only as Secure as the Least Secure Place They Visit Online

Users now have dozens of accounts online, between email accounts, social media accounts, online store accounts and more. Each ostensibly has its own username and password, though Barrett notes that users have so much trouble coping with the multitude of usernames and passwords that they tend to reuse the same ones everywhere they go on the Internet.

Those passwords tend to be poor, he said, pointing to the many passwords that have been published online as a result of numerous data breaches over the past five years. Passwords like "12345" and "password" are among the most commonly used passwords online.

[Related: How Your Authentication Scheme Could Hurt Your Business]

"Users will pick poor passwords and then they'll reuse them everywhere," Barrett said. "That has the effect of reducing the security of their most secure account to the security of the least secure place they visit on the internet."

FIDO Alliance Pushing Open Authentication Standard

The answer, Barrett said, is to replace the 50-year-old password technology we rely on with more robust authentication methods. He's the president of the Fast Identity Online (FIDO) Alliance, an organization formed two years ago with the goal of revolutionizing online authentication with an industry-supported, standards-based open protocol that not only makes users more secure but is also easy and convenient to use.

The FIDO Alliance protocol allows users a choice of authentication method while shifting control to providers who can make authentication user-transparent and limit the risk of fraud. Essentially, FIDO combines hardware, software and Internet services. A FIDO user will use a FIDO Authenticator or token that they've chosen or that's incorporated in their device; it could be a built-in fingerprint scanner, a USB memory drive with a password, a voice reader or something else.

[Related: Cisco Inadvertently Weakens Password Encryption in its IOS Operating System]

When a FIDO Authenticator is connected to an online account, it establishes a relationship between the Authenticator, the relying party and the FIDO Validation Service. Once the relationship is established, the Authenticator and the validation service will only exchange one time passwords (OTP).

In addition, all browsers on a user's system would have a FIDO plug-in capable of recognizing available FIDO Authenticators connected to the user's system. The Authenticator Validation Service will bind the whole system together, serving as a clearinghouse for token information.

Interest in FIDO Alliance 'Extreme'

Composed of a number of Internet companies, system integrators and security providers, the FIDO Alliance went public in February. Since that time, Barrett said, the level of interest and growth of the organization has been "extreme."

"Passwords are running out of steam as an authentication solution," he added. "They're starting to impede the development of the internet itself. It's pretty clear that we can't fix it with a proprietary approach."

[Related: Twitter Calls for Smarter Password Habits ]

"Our intention is to really obliterate within a certain number of years both passwords and PINs, including internally in enterprises," Barrett added. "Starting this year you will see FIDO-enabled devices appearing in the market."

Apple to Push FIDO with New Phone?

Barrett hinted that Apple will do its part to take the FIDO protocol mainstream.

"It's widely rumored that a large technology provider in Cupertino, Calif., will come out with a phone later this year that has a fingerprint reader on it," he said. "There is going to be a fingerprint enabled phone on the market later this year. Not just one, multiple."

Even so, passwords won't disappear overnight, he noted.

"These kinds of trends take a while," he said. "We're in this world-changing moment, but it's going to take several years before you see real, mass turning of the ship. But the ship is turning."

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Thor at tolavsrud@cio.com

Insider Resume Makeover: How (and When) to Break the Rules
Join the discussion
Be the first to comment on this article. Our Commenting Policies