back to article PayPal security boss: OBLITERATE passwords from THE PLANET

PayPal has declared war on the password - and wants a better way for folks to perform open sesame on their own internet accounts. Speaking at the Interop security conference in Las Vegas yesterday, Michael Barrett, chief information security officer at PayPal, talked about his work to create an open standard that could remove …


This topic is closed for new posts.
  1. mark l 2 Silver badge

    the disavantage to having additional hardware to authenticate is that you have to remember to have the harware with you at the time when you wish to login. I don't have that problem with a password as its always with me in my head.

    I guess if it can be authenticated using your phone then this is something that people usually have to hand so that may work but having to carry a USB stick or fingerprint reader everywhere would be a pain

    1. Flocke Kroes Silver badge

      Easily solved

      All I need is some FIDO software for my laptop. To authenticate, all I have to do is run FIDO and type my password - assuming thieves haven't taken my eyes and fingers.

    2. Anonymous Coward
      Anonymous Coward

      Fingerprints and Retina scans are fine.

      I'll be worried if they go the simple device route.

      i.e. What if you lose the USB stick on your way to work?

      Will the stick itself always be password protected?

      1. Wayland Sothcott 1

        Re: Fingerprints and Retina scans are fine.

        Did you see the trouble that Tom Cruse had in Minority Report when he wanted to change is retina. If someone starts logging in using your retina you are going to need surgery to reset the security.

    3. Daniel B.

      It's a solution looking for a problem

      The actual solution for this problem already exists... it's called "two factor authentication". Simply use tokens and the whole password problem goes away, and it is much more cheaper than biometric devices.

      1. Roland6 Silver badge

        Re: It's a solution looking for a problem

        I think the actual solution you were looking for is Single Sign-On - as it provides a framework within which to use two factor authentication.

        1. Jon Gibbins

          Re: It's a solution looking for a problem

          Microsoft Passport, anyone?

      2. big_D Silver badge

        Re: It's a solution looking for a problem

        Two factor, or anything that requires a device is a pain.

        I set up 2-factor on Google, then went to log onto Google with my tablet, only to realise I couldn't, because my phone was miles away!

        The "something you have" has to be something you *always* have!

        That said, the talk about biometrics always brings up images of Simon Pheonix in Demolition Man.

        1. Daniel B.

          Re: It's a solution looking for a problem

          I'm currently carrying not one, not two, but *four* token/keyfobs. I have to say, VASCO and RSA know how to make 'em strong. Except for the Challenge/Response calculator-style token, which does need to have some extra care. Other than that, I can carry 'em everywhere.

          Tokens done right should be easy to carry, and they're usually part of your keyring. There it is, sitting near your Nirvana keyring. Ready to use if you need it, and easy to spot if you've lost it; that's when you have to report it stolen & replace it.

          Granted, all these tokens are for e-banking solutions, but that's kind of PayPal's point, isn't it? Stronger authentication for stuff that deals with money.

    4. Turtle

      A Password.

      " I don't have that problem with a password as its always with me in my head."

      Most people don't have that problem with a password, either. But most people don't have "a password" - they have a large number of them - unless for example they use their bank account password for everything else, too. (My impression is, that most people don't do that, but I don't really know.) If people use strong passwords, i.e. those not subject to dictionary attacks, then remembering passwords becomes even more difficult if not impossible.

      I don't think that carrying a security token should necessarily be more cumbersome than carrying an additional credit card.

      1. Anonymous Coward
        Anonymous Coward

        Re: A Password.

        By last count I am currently using about ten passwords/passphrases, and I do not have any particular problem remembering them all, even though I change some of them regularly (the important ones).

        If you can remember how to speak a whole language, or a few of them, how difficult can it be to "learn" a few new words that you associate with a particular noun?

        Besides, it is not clear in the article whether the system they propose would support true multiple identities. Sure as fuck I do not want my identity on this website to be the same I use for my banking, etc.

  2. Anonymous Coward
    Anonymous Coward

    I can change my password ...

    I can't change my fingerprints ...

    If the security of the system gets compromised they are screwed - I mean what are they going to do?

    "We've emailed all users to warn them of a breach in our security and have asked them all to change their hands and eyes?"


    1. Benjamin 4

      Re: I can change my password ...

      Agreed. And you should use a different code for each website. So I'm good for ten websites, then what?

      1. Bakunin

        Re: I can change my password ...

        Use your toes? Bingo, ten more sites!

    2. stanimir

      Re: I can change my password ...

      I know quite little about finger print recognition but I always assume it'd be some hashing of the actual fingerprint. Adding 256bit salt to the fingerprint would solve the case.

      My main gripe are injuries, cutting (or esp burning) your fingers leaves out handing dry.

  3. Anonymous Coward
    Anonymous Coward

    "The great $45m bank cyber-heist: Seven New Yorkers cuffed"

    PayPal has a pretty shaky record with security... Not sure I trust those guys! How fool-proof are his suggestions if someone compromises a middle layer of security where PayPal gets sent spoofed credentials? I'm sure these guys above are already working on an attack vector from their prison cells as we speak...

  4. Pen-y-gors

    Bad idea and overkill

    Paasswords have weaknesses, obviously, although a sensible password strategy removes most of the problems. But this is overkill, as it means that there is a total loss of anonymity - instead of using a userid and password known to me (e.g. and p/w n0T_reallY) I'd have to use biometrics to access every website? Every on-line activity linked back to a known, certified individual? A Home Secretary's (and Zuck's) wet dream!

    For important accounts (online banking, email etc) some sort of enhanced validation is needed, but two-factor is pretty darn effective, and still doesn't require access to be linked to a specific individual.

    Count me out

    1. An0n C0w4rd

      Re: Bad idea and overkill

      Even better, I strongly suspect that the FIDO stack will allow you to be tracked amongst all these different sites, even if you're not Facebook or the Govt.

  5. Anonymous Coward
    Anonymous Coward


    "There is a FIDO client or a FIDO stack that has to be on the device concerned,"

    Not required. Yubikey plugs into USB port, types non-reusable one-time passwords into your password entry field. $25 one-off, $15 in small quantities.

  6. N2


    I would much prefer they behaved as an honourable financial institution should, upholding the UK consumer credit act, having a headquarters based in the UK, not Luxembourg & perhaps paying a smidgen more tax.

  7. Anonymous Coward
    Anonymous Coward

    Mostly Harmless.....

    In "Mostly Harmless", DNA had the idea that, as biometrics became ever more detailed in block fraud, they became ever more time consuming and invasive, so somebody has the brilliant idea to store all the biometric data on a card that could be scanned instead.

    Ford Prefect steals a top-tier Guide executive's card, and is then able to pass himself off as that executive by presenting the card to all the "secure" systems.

    So, Paypal gets its wish, and we all get a device to authenticate ourselves. Great - so if that device is stolen, whoever has it can masquerade as us. So we need a way to authenticate that is really is the device's proper owner using it. Hmm, I wonder what that would be. Something easy, that won't fail like a fingerprint scanner after you've been working on that engine block all Saturday. Something that doesn't require a bunch of extra, costly hardware. Something that works with existing hardware, like a keyboard. Something like, I don't know, maybe a string of characters known only to the user and the device. Brilliant! I just wonder what we should call it....

  8. User McUser


    Authentication Tokens are dumb unless it's just one part of a n-factor authentication scheme. If my access is dependent entirely on a single piece of gear then if it's stolen/lost A) I'm screwed and B) Someone else gets to access all my accounts without being challenged. (Same reason I don't let my browser save passwords.)

    While I truly detest having to create separate logins for every f-ing site on the planet, I don't think we'll be excising passwords/PINs any time soon. Biometrics might manage to do it, but inexpensive USB fingerprint scanners have been available for at least 13 years that I'm aware of and it hasn't happened yet.

    1. Anonymous Coward
      Anonymous Coward

      USB fingerprint scanners

      They're not popular because they are pointless. For one thing, an attacker just plug in a fake USB fingerprint scanner which returns someone else's fingerprint, cloned from previous scan data. For another thing, a rootkit could do the same entirely in software, with little more sophistication than a keylogger.

      To get round this, you would need some central trusted third party with a fingerprint database, *and* the communication between the fingerprint reader and the TTP would have to be encrypted end-to-end and immune to replay attacks. That is, the encryption would have to take place within the fingerprint reader, not on the PC. The TTP would then return some time-limited token that you could use to authenticate yourself to a website. Furthermore, the fingerprint reader would have to be robust against physical attacks too.

      Any device which you plug in and allows you to unlock your PC locally clearly doesn't use that model.

      On top of all that, even if the FP reading system were secure, you can clone a fingerprint just using a gummy bear.

  9. 100113.1537

    Hmmm, 'phones maybe...

    I can see the point of most commentards here that hardware has its issues, but I would still like to have something more secure on my smartphone. I am nerdy enough that I don't store passwords in the applications (websites etc.), but there are so many different things i needs secure access to that I do have the log-in names and passwords on my PC. These are semi hidden and my PC is only accessibly via password or fingerprint reader (which I love by the way - much the quickest way to boot up).

    However, I am still way too paranoid to have any of these files on my smartphone, which is so much simpler to steal. I really want a fingerprint scanner on my phone so that I can store some of this sensitive information on there and actually use it as an alternative. Since the swipe scanners work so well on my PC (and can't be fooled by the sticky-tape approach) I really can't see why we can't use that together with NFC for much of what these people here are talking about. I am pretty good about taking my phone with me everywhere after all....

  10. MrXavia

    Additional hardware means loose it and your locked out....

    And even with the RSA type keys you STILL need a password/pin or a simple theft can compromise your accounts...

    As for Fingerprint/Eye scanning, are they mad? right now if a thief wants your money just give them your pin & card... if its iris scan, they will scoop out your eyeball!!! hasn't he ever watched Demolition man???

    I don't mind iris/fingerprint for authentication areas that are manned, but bank accounts & online, no thanks!

    1. Daniel B.

      2 Factor auth

      Using a password or PIN with tokens is part of the solution. Even if you know the password, you would still have to get the keyfob, thus the added security.

      I actually like that biometrics bring up Demolition Man, the trend has been even touched upon in the Avengers movie as well. I fear for biometrics on anything, as it would obviously backfire with maimings and mutilations. I like my eyeballs too much for that.

      Didn't someone already lose their fingers or hand when he got carjacked? It was a Mercedes with fingerprint security IIRC...

  11. ecofeco Silver badge

    Biometric FAIL

    Biometrics have been proven time and time again by some very well respected boffins to be unreliable in the everyday world in every sense of the word.

    Mostly by locking the authorized user out of their own stuff.

  12. Pirate Dave Silver badge

    An idea

    Perhaps Paypal should go talk to the folks at Facebook who are all a titter over their open-switch project.

    Paypal hardware being used to authenticate admins to a Facebook switch? Sounds like a match made in heaven.

  13. Dan 4


    Let's see, I feel about as comfortable sending biometrics to Paypal, as I do about letting them hang onto large sums of my money.

    So, not very much at all. Paypal is not an honorable or trustworthy institution.

  14. mliblover

    biometric authentication is a bad idea; pass-words/pass-phrases are better

    Biometric authentication is a poor substitute for pass-phrases for at least three reasons.

    1. Problem of Scope: One would not want to use the same authentication factor in many places because then all those places could have the credentials of the other locations.

    2. Problem of Longevity: Biometrics are persistent. You many no longer want to do business with someplace you provided your biometric data but who is to say that will continue to protect or destroy this valuable personal information.

    3. Problem of Compromise: If an authentication factor such as a pass-phrase becomes stolen or otherwise compromised, one need simply change it. If a biometric authentication factor becomes compromised, say somebody captures your fingerprint, then you screwed.

    This is explained in better detail here:

  15. shovelDriver

    "Get used to fingerprint, eyeball scanners . . ."

    May I, oh Lord Of All You Survey, get used to not using Paypal instead?

    I mean, it's not as if I've ever used it since I found out it makes a practice of ripping off it's members.

  16. Anonymous Coward
    Anonymous Coward

    The fatal flaw

    "The FIDO solution works by using an authentication device that connects to websites to verify a person's identity."

    Anything that connects to the Internet (or any other network) to verify identity is subject to the network route (including the USB host) being compromised.

    That's why the free-standing devices (e.g. the card readers that some banks issue to their customers), which can sign transactions completely independently of any host device or network, are the only way to make a step change in security on the Internet.

  17. mike acker

    look deeper

    this is an effort to get rid of anoniminity

    not everyone on ehte internet is a Good Guy so it is important to maintain you anonimity when you are online

    there is nothing wrong with passwords -- when properly implemented

    and if a hacker can get in via sql injection fingerprints or other scans are not going to help. if he gets in via sql injection he just takes what he wants

  18. Rol

    Biometrics is just another user name & password. Only shorter!

    As pointed out by many already, identifying a user and granting that person privileges based on a biometric response, has several problems, most of which have been covered, but I suspect one that has so far been overlooked is the authenticating character string.

    My user name and password for The Reg is some 40+ characters long, which would be sufficient to code the biometrics of my fingers, eyes and breath, well maybe not my breath at the moment, it is Saturday morning.

    (Think of a 40 digit number in base 256, yes it's huge!)

    My point is, if to access my account using biometrics, only requires sufficient data to describe several locations in my iris, then I suggest that data string would be considerably shorter than my usual access method of 40+ chars and hence be more readily compromised.

    This whole technology is designed to help the poor muppets who can't remember their mums telephone number and tag on the name of the site they're visiting, in a suitably cap on, cap off, sequence.

    1. Rol

      Re: Biometrics is just another user name & password. Only shorter!

      and by the way, my passwords are a sight more devilish than I have suggested.

      1. Rol

        Re: Biometrics is just another user name & password. Only shorter!

        40 digits in base 256 = 2.135987036×10⁹⁶ base 10

        Wow, and how many atoms are in the universe?

  19. Anonymous Coward
    Anonymous Coward

    Combining Biometrics - bad.

    Those of us with long memories of El Reg articles passum will recall that combining different biometric measurements does not make a more reliable system. That's what killed off the biometric ID card scheme in the UK.

    It took a mathematician to point out that they had got their probability calculations hopelessly wrong. They had overlooked that the different false alarms rates of each measurement type don't combine in a manner that satisfies the requirement to accurately identify a person, and only that person, as matching a set of measurements

    If PayPal think they can do better then I suggest they consult a proper mathematician first before ploughing a ton of cash into the idea. I'll be closing my account if they ever launch it...

  20. Pascal Monett Silver badge

    "[a] device that connects to a website"

    Great idea, Paypal. That way, the miscreants will have just one site to hack to steal personal data on everyone and gain access to absolutely all banking data there is. If ever that site came to exist, it would require ironclad security of the likes we have not yet seen and would probably not be able to implement properly. Hopefully they would at least salt their hashes ?

    Uh, Paypal, between your arbitrary account locking based on "suspicions" that you never justify, your inexistant customer support and now this idea, I'm starting to wonder whose side you're on - ours, or the criminals ?

    1. dajames

      Re: "[a] device that connects to a website"

      Great idea, Paypal. That way, the miscreants will have just one site to hack to steal personal data on everyone and gain access to absolutely all banking data there is.

      Much as I dislike and distrust PayPal, I don't think the scheme they are suggesting is quite as bonkers as that!

      What they seem to be proposing is a system in which every user would carry some kind of device that would enable them to authenticate to a system. The user would activate the gadget by some biometric pathway (such as a fingerprint reader on the gadget itself) and that would enable the gadget to authenticate the user to a computer system through some sort of secure protocol -- a cryptographic challenge/response exchange, perhaps. I guess the gadget would contain the user's ID as a digital certificate and would also have the ability to use the corresponding private key to effect the challenge/response calculation.

      Users would register with services using the certificates from their devices as ID, and would authenticate by enabling the device to complete the cryptographic exchange that demonstrates knowledge of the private key. If a user registered with more than one bank using the same device neither bank would know the private key, so either could impersonate the user to the other.

      Note that it is important that the biometric measurement and verification are performed by the device itself, and don't rely on (say) a fingerprint reader attached to the computer. If the device were to rely on the external hardware then an attacker could record capture the biometric data and activate the device automatically without the user's knowledge (possibly after it had been stolen).

      The important points here are:

      1. The device would be useless if stolen because it won't function without performing a biometric identification of the user.

      2. The certificate on the device could be revoked if the device were lost or stolen, making it useless.

      3. The private key would only be used on-board, and would never leave the device. That means that the device could never be spoofed or copied.

      4. A user could have multiple devices, so wouldn't have to present the same identity for all services. All the devices could be activated by the same biometric mechanism, but the biometric data would be checked by the device, on the device, and would never need to be transmitted to the computer system asking for authentication. When you lose a device you only need to get a new device (with a new keyset and certificate) -- you don't need new fingerprints!

      5. If the same device is used to access multiple service accounts, and one is closed, it is not a problem that the device can still be used to identify the user. If the user (or an attacker) attempts to access the service on which the account has been closed the system will be able to verify the user's identity, but not associate that identity with a live account.

      Of course, to implement a system that did all this would be to place a lot of faith in the technology. If an attacker could obtain a user's device and spoof their fingerprints (before the device was reported missing and the certificate revoked) he could gain access. An attacker who could devise a way to extract the key data from the device would be able to spoof the device. An attacker who could break the cryptosystem used by the device would laugh all the way to ... wherever you go when there aren't any banks any more.

      Mine's the one with cash in the pocket.

  21. kayzam


    finger prints. i use my prints to start my car open doors and get this. to use it for my passwords

  22. Chris--S

    Biometrics are identity only

    I want my authentication to include a secret.

    Surely authentication needs to include identity + secret. Biometrics start being used to protect big amounts of money and you can bet a whole heap of ingenuity will be focused on forging/fooling biometric scanning devices.

    The more flexible biometrics are made to cope with natural variations due to age, environment, injury and disease, the easier it'll become to fool the reading devices.

  23. Philip Lewis

    What, no XKCD reference?

  24. mrjohn

    You can change a password, you cannot change your fingerprint, so what happens if the data used to recognise your fingerprint leaks?

    1. Peter Gathercole Silver badge


      You leave your password everywhere, unless you are like Michael Jackson, and wear gloves all the time.

      As soon as someone finds a way of lifting your fingerprints off the glass you drank your last pint from, and sorts out a method for creating a facsimile/feeding the correct hash from that into an authentication system, it will be busted wide open. And if there is a single hashing method, that will not take very long. Sounds soooooo secure to me!

      If you are going to use biometrics, use something that is not generally available! But as soon as you do, the data from that biometric will leak (your iris or retina data is only safe now because you have never had a reason to have it scanned. As soon as you do, it will become generally available).

      I'm also a little unhappy about putting my eye up to an optical device in a public place, because it would be possible for such a device to be hacked (like bank ATMs are now for card skimming) to do irreparable damage to my eyes (scenario, use a pulsed solid state laser to burn some small random patch of the eye. No immediate symptoms, so device may not be spotted immediately, but repeated use would degrade sight).

      So, possession of a physical token, plus a changeable secret, with additional further authentication to resolve conflicts, which may include biometrics used at some trusted local identity broker (physical presence required) would be my preferred solution.

      1. Peter Gathercole Silver badge

        Re: Leaks? @Me

        I MUST MUST MUST proofread my posts better. I meant to say "You leave your fingerprints everywhere...."

  25. Michael H.F. Wilkinson Silver badge

    Heel, FIDO! Heel!

    Sorry, couldn't resist.

  26. mr.K

    Biometric will never work

    Fingerprints is a crappy way for secure identity. It has always been, and will always be. So is DNA and any other biometric contraption that is automated. It does work if it is run by humans. There is a very simple reason for this, and I can see no way to overcome it. You leave your "password" everywhere. Bits of DNA falls off you all the time, and you do touch quite a large number of objects each day.

    So basically all the security in these systems is based on how good the sensor is, and I will not thrust a single piece of sensor with my bank accounts, e-mail, game accounts, theregister account *shudder*, etc. Sooner or later somebody will make a good enough replica of a finger so that the sensor will believe it is indeed a finger. Then all they need is to be the next in line to use the fuel pump and they can swipe my fingerprint. Or they can pick a piece of hair that fell off me.

    Iris is a bit more tricky, but I am quite confident that the technology will get there that they can be scanned from some distance. Or you always have the "Here, try my Google Glasses." The point is that along with all other biometric it is basically public data.

    So thus, biometric is stupid, it is a braindead idea from the start. It does work in pass controls, credit cards in stores and all the other places where there is a physical person that checks you are not pulling out a fake finger. There is a reason most debit and credit cards still only use a four digit pin while the rest of the world requires eight character alphanumerical passwords. I have no idea on the motive of this guy, but he is probably smart enough to know this. Yet, he fronts this.

    1. stanimir

      Re: Biometric will never work

      Actually no good copy of a finger is needed, just a digital copy the data of a comparably sensitive sensor and pass it - sockets transfer data in digital format. If the raw (non hashed/salted) data is acquired, basically the entire system is entirely compromised.

  27. JaitcH

    "the USER is then TOLD what sort of input is needed to verify their identity"

    Not exactly democracy in action. Just who the hll does PP think it is when it says: USER is then TOLD?

    Stuff it PayPal, there are better funds transfer systems around, and they neither pinch customers funds or impose their political thoughts upon them.

  28. Aebleskiver
    Thumb Down

    No thanks...

    I'm guessing this guy has never seen an episode of Red Dwarf or the film Demolition Man...

    1. MrMcginty

      Re: No thanks...

      Surely a retinal or fingerprint scanner should have built into it a sensor which confirms blood-flow in the digit/eyeball being used to identify?

  29. This post has been deleted by its author

  30. ballist1x

    They dont remember Demolition Man?

    Sci-Fi has already shown us that this is not foolproof. As Ableskiver has already pointed out...

    Also, what if im physically located at home but i want my work colleague to log in and check my email?

    What if i break my arm and cannot physically run my hand through the machine, or if i have an eye infection etc.

    What is in future crims' start taking fingerprints off everyday things like banisters or the soap dispenser and so on and so forth.

    1. Anonymous Coward
      Anonymous Coward


      "...I want my work colleague to log in and check my email?"

      Massive, utter security FAIL

      Never, never should a password be given to anyone else.

      There are suitable mechanisms for allowing access, for example, to files or e-mail accounts. If you are even thinking of saying your password out loud or writing it down, your security system is fundamentally flawed and completely unfit for purpose.

      Again, I would have expected all visitors to this tech site to understand this basic, irrefutable principle. Security 101.

  31. Colin Millar
    Black Helicopters

    No need for all those passwords anyway

    All you should need to do (for shopping) is secure the route to your own bank. Then get a reference from the retailer which you go off and pay. Retailer gets cash for reference and triggers the delivery/download option.

    If you deal with a dodgy website the worst that happens is you get ripped off for 1 purchase - at least they don't have the card details.

    Of course it won't happen. The undead hordes would rather have something 2 seconds earlier even if it means if giving away all their financial details to a complete stranger. It also makes anonymous shopping (at POS) a real possibility and no-one is going to do that just for an infiniteley more secure payment method.

  32. MrZoolook

    Bank: "We noticed some suspicious activity on your card sir."

    Customer: "I'm on my way to hospital, can this wait?"

    Bank: (ignorant operator as always) "It seems someone purchased an on-line porn subscription."

    Customer: "Well it wasn't me cos I am blind and on my way to hospital."

    Bank: "Unfortunately sir, the transaction was verified by retina scan."

    Customer: "That's why I am going to hospital. My eyes were just gouged out."

    Bank: "Sorry to hear that sir, but your security option doesn't cover you if you allow access to your eye-balls."

    Bank: "Good-bye."

  33. JLV
    Thumb Down

    You really want to trust Paypal?

    Some years back, while Skype was part of eBay, I wanted to sign up for the $30/year unlimited calls in North America.

    Now, Skype pretty much was forcing me to use Paypal, so I had to try to hook my Visa card to my Paypal account which was dormant at the time.

    Everytime I submitted the CC info, Paypal wanted another bit of "proof", starting with signing up to Verified by Visa. I gave up after about 45 minutes.

    Think about it - Paypal is being anal in the context of a $30 yearly subscription to an all-you-can-eat service that is provided by Skype, their sister company. Provisioning phone calls doesn't cost Skype anything. And, if my CC info turns out to be fraudulent, Skype can just suspend my service. For a whopper "loss" of $2.50 in the first month of service. I mean, how stupid can you get?

    Not the only run-in I've had with them, far from.

    I understand Paypal wants to prevent fraud, but their behavior is arrogant, arbitrary and unpleasant. This guy can prattle on all he wants about authentication, but how good will the service be in practice?

    Basically, my rule is not to deal with merchants that require you to use Paypal.

This topic is closed for new posts.

Other stories you might like