PayPal says it's time to ditch passwords and PINs

Push to replace 50-year-old password technology we rely on with more robust authentication methods

"We have a tombstone here for passwords," Barrett told the audience at Interop in Las Vegas, pointing to a slide with a tombstone for passwords with the years 1961 to 2013 etched on it.

"Passwords, when used ubiquitously everywhere at Internet scale, are starting to fail us," he saidd.

User Only as Secure as the Least Secure Place They Visit Online

Users now have dozens of accounts online, between emailaccounts, social media accounts, online store accounts and more.Each ostensibly has its own username and password, though Barrett notes that users have so much trouble coping with the multitude of usernames and passwords that they tend to reuse the same ones everywhere they go on the Internet.

Those passwords tend to be poor, he said, pointing to the manypasswords that have been published online as a result of numerous data breaches over the past five years. Passwords like"12345" and "password" are among the most commonly used passwords online.

[Related: HowYour Authentication Scheme Could Hurt Your Business]

"Users will pick poor passwords and then they'll reuse them everywhere," Barrett said. "That has the effect of reducing the security of their most secure account to the securityof the least secure place they visit on the internet."

FIDO Alliance Pushing Open Authentication Standard

The answer, Barrett said, is to replace the 50-year-old password technology we rely on with more robust authentication methods.He's the president of the Fast IdentityOnline (FIDO) Alliance, an organization formed two years agowith the goal of revolutionizing online authentication with an industry-supported, standards-based open protocol that not onlymakes users more secure but is also easy and convenient to use.

The FIDO Alliance protocol allows users a choice of authentication method while shifting control to providers who canmake authentication user-transparent and limit the risk of fraud. Essentially, FIDO combines hardware, software and Internet services.

[Related: CiscoInadvertently Weakens Password Encryption in its IOS OperatingSystem]

When a FIDO Authenticator is connected to an online account, it establishes a relationship between the Authenticator, the relying party and the FIDO Validation Service. Once the relationship is established, the Authenticator and the validation service will only exchange one time passwords (OTP).

In addition, all browsers on a user's system would have a FIDO plug-in capable of recognizing available FIDO Authenticators connected to the user's system. The Authenticator ValidationService will bind the whole system together, serving as a clearinghouse for token information.

Interest in FIDO Alliance 'Extreme'

Composed of a number of Internet companies, system integratorsand security providers, theFIDO Alliance went public in February. Since that time, Barrett said, the level of interest and growth of the organization has been "extreme."

"Passwords are running out of steam as an authentication solution," he added. "They're starting to impede the development of the Internet itself. It's pretty clear that we can't fix it with a proprietary approach."

[Related: TwitterCalls for Smarter Password Habits]

"Our intention is to really obliterate within a certain number of years both passwords and PINs, including internally inenterprises," Barrett added. "Starting this year you will see FIDO-enabled devices appearing in the market."

Apple to Push FIDO with New Phone?

Barrett hinted that Apple will do its part to take the FIDOprotocol mainstream.

"It's widely rumoured that a large technology provider in Cupertino, Calif., will come out with a phone later this year that has a fingerprint reader on it," he said. "There isgoing to be a fingerprint enabled phone on the market later thisyear. Not just one, multiple."

Even so, passwords won't disappear overnight, he noted.

"These kinds of trends take a while," he said."We're in this world-changing moment, but it's going to take several years before you see real, mass turning of the ship. But the ship is turning."

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for Follow Thor on Twitter @ThorOlavsrud. Follow everything from on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Thor at

Read more about security in CIO's Security Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags smartphonesiPhonepaypalTechnology Topicsauthentication protocolsAppleTechnology Topics | SecurityMichael Barrettconsumer electronicsFIDO Alliancesecuritypasswords

More about AppleCiscoFacebookGoogleInteropIT SecurityMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place