Paypal’s Chief Information Security Officer, Michael Barrett, spoke at Interop to announce the impending death of passwords.
“We have a tombstone here for passwords,” Barrett told the audience, as he displayed a slide with a tombstone for passwords and the years 1961 to 2013 engraved on it. “Passwords, when used ubiquitously everywhere at Internetscale are starting to fail us,” he added.
Barrett notes that passwords chosen tend to be poor and they are reused for multiple services.
“Users will pick poor passwords and then they’ll reuse them everywhere,” Barrett said. “That has the effect of reducing the security of their most secure account to the security of the least secure place they visit on the internet.”
Barrett’s solution is the FIDO Alliance. An open approach to secure authentication, FIDO lets you bring your own security device. FIDO devices are dynamically discovered by websites and users are asked if they want to connect FIDO devices to their accounts. Once enrolled, users can just swipe their finger, insert their USB or enter a PIN to access those websites.
Notably, Barrett expects the iPhone to help with this switch to device based authentication.
“It’s widely rumored that a large technology provider in Cupertino, Calif., will come out with a phone later this year that has a fingerprint reader on it,” he said. “There is going to be a fingerprint enabled phone on the market later this year. Not just one, multiple.”
“These kinds of trends take a while,” he said.”We’re in this world-changing moment, but it’s going to take several years before you see real, mass turning of the ship. But the ship is turning.”