A colleague of mine shared this with me this morning. Allow me to share it with you. Thanks for stopping by…
Could the era of the password be behind us? That’s what PayPal Chief Security Officer Michael Barrett predicted during one of the most interesting keynotes at this week’s Interop show in Las Vegas.
Barrett said that passwords have been in widespread use since 1961 but the prevalence of cloud services has left us with too many sites that require passwords. People have too many passwords and thus are frustrated. As a result, he said, “Passwords are starting to fail us.”
When left to their own devices, users will pick poor passwords and use them everywhere. That means the security of their most important account is reduced to that of the least secure place they use that password. Meanwhile the availability of cheap processing power in the cloud, including GPUs, has made it easier for people to crack password hashes.
An alternative—two-factor systems with password key rings—he said is “a regulator’s dream, but a user’s nightmare” as each site might have its own secure token system.
As a result, we need something else and that’s where the FIDO Alliance comes in. Users want something that is both secure and easy, Barrett said. Any solution must provide stronger authentication but must be easier to use, and yet respect people’s privacy.
The alliance has been running for more than two years, and the first such solutions are about to be launched.
With today’s model, passwords are entered on a device and then passed through the device to the service on the other end. In the FIDO model, users authenticate with a small number of devices and instead they authenticate to their device. A FIDO stack on device then knows how to authenticate back to the service. The information for the connection could be stored in the TPM chip on a PC, or in a secure container on a smartphone.
To authenticate with the device, you could use a fingerprint. Barrett suggested that Apple may be coming out with a fingerprint reader on a smartphone later this year, with Android devices following shortly. Devices could also use “voice biometrics” (a voice print), eye recognition, or facial recognition. Individual sites could request one or more of these signifiers they want to accept.
For this plan to work, it would require both devices support the standard and services that accept FIDO authentication. Barrett said PayPal is in the process of becoming FIDO-enabled. Once a site is enabled, if there is a FIDO client, it gets used; otherwise, it will be ignored.
Even though he thinks passwords are running out of steam, Barrett acknowledged that it will take several years before we start to see real mass adoption. The odds are only “50/50 whether we can pull this off,” he said.
But given the number of password hacks we keep reading about and the frustrations we all face with our current passwords, there’s no denying that many of us want something better.