Moving Beyond Passwords
More than half of Canadians own a mobile phone and 75 per cent of them are smartphones, reveals 2014 comScore data. Many Canadians use their smartphones to perform highly personal tasks such as online banking and social networking. Even still, a 2013 Norton Report by Symantec estimates that nearly half of global smartphone users don’t practice basic safety precautions such as using a password. Convenience is the culprit and safety is the sacrifice.
In an effort to make security more convenient, PayPal spearheaded an industry collaboration called the FIDO (Fast Identity Online) Alliance to help global partners – such as Google, Samsung and Microsoft – move beyond passwords. As of today, FIDO is 150 members strong and we recently published the 1.0 version of our specifications. The new specifications are available for any organization to implement. Most importantly, these specifications make authentication easier and more secure, while also maintaining privacy.
There are two kinds of FIDO specifications: one is password-less (UAF) and the other makes use of a second factor for authentication (U2F). We’ve chosen to use the UAF specification because it acts as a full password replacement, it’s easy to use (often leveraging biometric information, such as a finger print), and it increases your security and privacy.
Last year, we deployed an early version of this specification with Samsung. Now, PayPal customers can shop and pay with their fingerprint at millions of businesses worldwide on the latest Samsung devices.
Paying with your fingerprint sure sounds easy, but how does this method maintain privacy and security? With the FIDO specification, PayPal never stores biometric information – in this case, your fingerprint – in the cloud or on the device. Instead, your fingerprint is converted to a “template” which never leaves your smartphone. Once you login with your fingerprint, the FIDO key is “unlocked” to verify your identity. We also perform the authentication over encrypted channels to increase security.
We hope to see more companies to adopt these specifications, which will help the entire industry move beyond passwords. PayPal will continue our work with the FIDO Alliance as it continues to support a growing community dedicated to the development of secure and easy to use authentication methods.

Andy Steingruebl, Director of Ecosystem Security

Stay up to date

Sign up to receive the latest news to your email.