PayPal CISO Michael Barrett bullish on password alternative standard

An alliance of technology firms, including PayPal and Lenovo, says it can provide alternatives to passwords to authenticate users for online services.

An alliance of technology firms, including PayPal and Lenovo, is confident it will succeed in providing viable alternatives to passwords for users to authenticate themselves with online services.

To achieve this, the Fast IDentity Online (Fido) Alliance has published a set of open standards aimed at enabling the interoperability of authentication technologies.

The standards are aimed at making online accounts more secure, by eliminating password theft and re-use, and giving PCs and mobile devices a bigger role in authentication.

Single password hazard

Most users of online services find it difficult to cope with multiple passwords and tend to use a single password for several accounts, making it only as secure as the least secure service provider.

Insecure passwords are a problem for online enterprises because of lost business, through user lockouts and forgotten passwords, and direct losses through fraud by cyber criminals using stolen credentials.

The Fido Alliance has consulted widely in the IT industry and no-one has denied the problem needs to be solved or that Fido’s approach is flawed, said Michael Barrett, president of the Fido Alliance and CISO at PayPal.

Read more about authentication

“Industry leaders agree there is a real need, that this is the right time to tackle it and that the Fido alliance is going about it the right way through open standards,” Michael Barrett told Computer Weekly.

For example, the Trusted Computing Group (TCG), which develops open standards for hardware-enabled trusted computing and security technologies, views the Fido standards as complementary to its own.

The TCG’s Trusted Platform Module (TPM) could be a valuable authentication methodology for use with the Fido standards, said Barrett.

Applications using Fido standards

In an implementation using TPM, a Fido-enabled system would interrogate the TPM cryptoprocessor in a user’s device to authenticate the user.

Similarly, a service provider using the Fido standards could authenticate a user by using a device’s microphone, fingerprint scanner or camera for biometric checks.

According to Barret, the Fido Alliance’s mission is similarly complementary to what companies such as Google are doing to make online authentication as easy and as secure as possible at the same time.

“From the positive response we have received since publishing the standards is growing my confidence that we will pull this off,” he said.

All in the timing

Barrett believes Fido will succeed where others have failed, mainly due to its timing.

He believes that X.509, for example, was not only too complex, but it was conceived for a world in which there was an even mix off offline and offline activity, rather than a world that is predominantly online.

“In the late 1990s there were tens of millions of internet users and there was no understanding of the problems that would arise with billions of users, as we have today,” said Barrett.

Other attempts at solving the problem of online authentication have failed because no-one completely trusts a single entity all the time. “That’s what Microsoft’s Passport taught us,” he said.

Choice of authentication technologies

In contrast, the Fido approach uses a standards-based protocol that allows online service providers to use any authentication technology of their choice.

“It will be up to market forces to determine what the most commonly used technologies will be for particular situations,” said Barrett.

Fido enables an authentication framework into which authentication suppliers can integrate their technologies, which will help prevent supplier lock-in for online service providers.

Support crucial to momentum

Barrett believes another key aspect of Fido’s success will be that is supported by an alliance of authentication providers, equipment manufacturers and online services that need to authenticate users.

While PayPal is the first major online service or “relying party” to join the Fido Alliance, some large financial services firms are expected to join soon, he said.

Building momentum in the industry is one of the challenges to Fido’s success, but Barrett believes the business benefits will drive the first trials in the enterprise, particularly in small and medium businesses.

“Big companies are not necessarily the most profitable and SMBs typically need help in dealing with fraud, so are probably the most fertile ground for Fido trials because the approach will work well,” he said.

While Barrett would not be drawn on PayPal’s plan to implement the Fido standards, he confirmed that the online payments firm plans to carry out both internal and external facing pilots in 2013.

He expects to see Fido standards gathering momentum in 2014 as technologies conforming to the standards mature and are rolled out.

Smartphone manufactures are also likely to be early adopters of Fido standards, said Barrett, noting Apple’s acquisition of Authen Tec in late 2012 that has led to speculation that future iPhones will feature fingerprint readers.

“Android device makers are unlikely to want to be left behind, but they will need Fido standards to make it work, so it is reasonable to suppose we may see Fido-based smartphones by the end of 2013,” Michael Barrett said.

Read more on Hackers and cybercrime prevention