Andy Steingruebl, Director of Ecosystem Security, PayPal
Last year, we spearheaded an industry collaboration called the FIDO (Fast Identity Online) Alliance to help move the industry beyond passwords. More than a year later, we’re 150 members strong – including companies like Google, Samsung and Microsoft – and we’ve published the final 1.0 versions of our specifications. The new specifications are available for any company to implement. Most importantly, they make authentication easier and more secure, while also maintaining people’s privacy.
We’ve known for some time now that there is a better way to perform authentication. Passwords have been around for decades, but that technology hasn’t kept up with the pace of technology innovation – from smartphones to wearables. Today, people want more security with even greater convenience. PayPal’s goal with FIDO was to help drive the change to better meet this customer need.
The FIDO specifications come in two flavors: one is password-less (UAF) and the other makes use of a second factor for authentication (U2F). We’ve chosen to use the UAF specification since it’s easy for our customers to use (often leveraging biometric information), acts as a full password replacement, and increases security and privacy.
Earlier this year, we deployed an early version of the FIDO specifications with Samsung so that PayPal customers can shop and pay with their fingerprint at millions of businesses worldwide on the latest Samsung devices.
But, you’re probably wondering how this method is more secure while maintaining your privacy. With the FIDO specification, we never store biometric information – in our case, the fingerprint – in the cloud or on the device. Instead, the fingerprint is converted to a “template” which never leaves the device. Once you login with your fingerprint, the FIDO key is “unlocked” to verify your identity. We also perform the authentication over encrypted channels to increase security. Plus, FIDO prevents us from tracking our customers through the protocol as another method for maintaining your privacy.
We anticipate even more companies to adopt these specifications, which will help the entire industry dramatically improve beyond passwords. We’ll continue our work with the FIDO Alliance as it continues to support a growing community dedicated to the development of secure, easy to use, and privacy respecting ways to authenticate.