LAS VEGAS -- The moment of truth comes for many users when two small but daunting words pop up on their computer or mobile device: username and password. Trying to recall passwords and PINs with varying capital and lower-case letter and number combinations across multiple accounts doesn't come easy to many people. But what if users could authenticate themselves using their fingerprints or another unique identifier on their mobile device?
A world without passwords may be hard to imagine, but the Internet is headed in this direction, according to Michael Barrett, CISM, CISSP and chief information security officer for PayPal.
"Passwords are painful and aren't working for users, organizations or the ecosystem," Barrett said during his keynote address at Interop this week.
While users may have had to remember four or five passwords and usernames 10 years ago, the average user now has 25 separate accounts -- including business and personal accounts -- with eight different logins and 6.5 passwords, he said. And as some websites, such as banking and online shopping sites, now ask for more sophisticated passwords with letter and number combinations to ensure greater security, users are becoming frustrated in the process.
"No one is a stranger to getting locked out of their own account, and users are not happy campers," Barrett said.
Michael Barrettchief information security officer, PayPal
The Fast Identity Online (FIDO) Alliance -- a group established in 2012 to address the issues users face with creating and recalling multiple online IDs and passwords, as well as the lack of interoperability between authentication methods -- wants to revolutionize the way online authentication is done.
The alliance has argued that passwords are no longer working for users and are starting to impede the development of the Internet. Even when users believe they have chosen a unique password, many in reality are creating weak passwords and trying to reuse them as often as possible, said Barrett, who also serves as president of the FIDO Alliance.
The industry needs stronger user authentication methods, but they shouldn't cause any more friction for users. "It's got to be safe, but [also be] as easy as possible," Barrett noted.
FIDO Alliance seeks to 'obliterate' usernames and passwords
The ubiquity of mobile devices has created demand for a better solution to authentication, but experts are finding there isn't one answer to the problem.
The FIDO Alliance is working on an alternative approach, which requires software to be downloaded on the user device. The software will be able to authenticate the user by identifying the device itself and sending FIDO's protocol back to a third party's server -- like PayPal's, Barrett said.
"Once you enter our site, we will be able to ping that device with a FIDO client that can respond, noting that the device is in use by a registered user," he said. And cumbersome passwords won't be required to prove it.
Last year, Apple acquired FingerWorks, a gesture recognition company, prompting rumors that the company will release a new phone with a fingerprint reader this year. Retina screening offers another way to identify a registered user.
"Front-facing cameras on smartphones have gotten good enough to take accurate pictures of eyes, and [they] can do facial recognition," Barrett said.
Whatever weapon of choice the alliance selects, "FIDO is looking to obliterate all usernames, passwords and PINs from the face of the planet" in the next few years, Barrett said.
"Within the next year, you will see FIDO-enabled devices in the market," he said.