We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not a subscriber? Subscribe now for unlimited access to online articles.


PayPal, Lenovo Launch New Campaign to Kill the Password

A new standard that gives phones and PCs a bigger role in authentication could disarm attacks that rely on stealing passwords.

Although nearly universal, passwords are an imperfect way to protect online accounts. Technology that makes them less critical could improve online security.

A consortium including PayPal and Lenovo, the world’s second-largest PC manufacturer, has launched a set of technology standards that could reduce reliance on passwords, potentially making online accounts more secure.

Under the standards put forward by the FIDO Alliance, the device a person is using to log in to an account would play a more central role in authentication. That would make it impossible to compromise accounts by stealing passwords, as hackers did in order to break into Twitter this month and LinkedIn last year.

“Customers credentials are [today] easily retrievable by criminals by techniques such as password guessing, credential theft at websites or phishing,” says Michael Barrett, chief information security officer at PayPal and a cofounder of the FIDO Alliance. “FIDO is significant because it helps to move us into a world where credentials are much more bound to the device and it’s much harder for the criminal to abscond with them.”

A company using the technical specifications being developed by the FIDO Alliance might get proof of a person’s device by checking the security chip that is installed in many PCs, or prompting a user with the right hardware to use a fingerprint reader. Barrett says that offering an open standard any company can adopt or sell will drive widespread adoption of the new technique, diminishing the password’s role in securing personal accounts.

Companies that opt to use the new approach will have the option of requiring both a password and a secondary authentication method tied to a device, or dispensing with the password altogether. “We finally can stop relying on these things that have been troubling us since the mainframe era,” says Phil Dunkelberger, previously CEO of PGP Corporation and now CEO of Nok Nok Labs. His new startup, which has $15 million in funding, has developed software that enables companies to secure their accounts using the FIDO standards.

One goal of the FIDO Alliance is to make better use of security hardware in existing devices that is little used today. Most desktop and laptop computers (and some tablets) already contain a piece of security hardware, known as the TPM chip, that can be used to verify who is using a particular device (today it’s used mostly to enable disk encryption). Dunkelberger says his company’s software can make similar use of the security chip included with the near-field communications hardware in some phones, which is used for making wireless payments. ARM and Intel both have plans to make technology similar to TPM standard in phone and tablets.

Requiring a person to offer both a password and a physically linked secondary proof is an approach known as “two-factor authentication.” Although widely advocated by security experts, it is relatively uncommon. Banks and large companies are the most enthusiastic adopters of two-factor authentication. Although some consumer companies offer it, Google, Dropbox and Facebook included, only a fraction of their users have adopted it.

For a company to adopt the FIDO approach, it must put the correct software on its servers and persuade customers to install new software on the phones and computers they use to access their accounts. The technology on the user’s end could be included in a mobile app or offered as a browser plug-in.

The FIDO specification is also designed to check a person’s credentials more safely than is usual today. Normally, when someone logs in to, say, an e-mail account from his or her phone, an encrypted version of their password is transmitted to a remote server to be compared against a database of passwords. Every time that happens, the password can potentially be intercepted and decrypted. The central password database can also be compromised, which is what happened in the case of Twitter. Passwords stolen that way can be used to take control of a person’s account.

In the FIDO method, no password of identifying information is sent out; instead, it is processed by software on the phone or computer. This software calculates cryptographic strings to be sent to a login server. The strings can be used to confirm that person supplied the correct credentials, but not to reveal the login information. At the same time, the user’s device receives a cryptographic string allowing it to verify that the server it is communicating with is the real one, not an impostor.

As a result the FIDO approach removes the incentive to steal passwords en masse from Web companies, says Ramesh Kesanupalli, a cofounder of the FIDO Alliance: “You have to go by single units, so there’s no scalability.” To compromise an account protected this way, he says, “I have to get your password and also steal your device.”

One potential downside of having the new specification adopted by many companies, however, is that it creates a large potential target for hackers, points out Michael Versace, a research director at the analysis firm IDC, who is familiar with the FIDO Alliance’s plans. “There would be a strong incentive for attackers to find vulnerabilities in such a large system,” he says. “A successful attack would cause systemic identity failures in the network they support.”

For the consortium to make a major impact, it will need to tempt many more companies to sign up, adds Versace. “FIDO’s chance of gaining traction initially is tied to PayPal,” he says, adding that so far the group has talked mostly about its technical approach, not about how it will make it appealing to companies in business and financial terms.

That could be particularly difficult when it comes to the largest Web companies, such as Google and Facebook, which may have their own plans, says Versace. Google, for instance, is known to be testing alternatives to the password based on USB keys (see “Google’s Alternative to the Password”).

Keep up with the latest in Security at Business of Blockchain 2019.

May 2, 2019
Cambridge, MA

Register now
More from Connectivity

What it means to be constantly connected with each other and vast sources of information.

Want more award-winning journalism? Subscribe to MIT Technology Review.
  • Print + All Access Digital {! insider.prices.print_digital !}* Best Value

    {! insider.display.menuOptionsLabel !}

    The best of MIT Technology Review in print and online, plus unlimited access to our online archive, an ad-free web experience, discounts to MIT Technology Review events, and The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Unlimited access to all our daily online news and feature stories

    6 bi-monthly issues of print + digital magazine

    10% discount to MIT Technology Review events

    Access to entire PDF magazine archive dating back to 1899

    Ad-free website experience

    The Download: newsletter delivered daily

  • All Access Digital {! insider.prices.digital !}*

    {! insider.display.menuOptionsLabel !}

    The digital magazine, plus unlimited site access, our online archive, and The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Unlimited access to all our daily online news and feature stories

    Digital magazine (6 bi-monthly issues)

    Access to entire PDF magazine archive dating back to 1899

    The Download: newsletter delivered daily

  • Print Subscription {! insider.prices.print_only !}*

    {! insider.display.menuOptionsLabel !}

    Six print issues per year plus The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Print magazine (6 bi-monthly issues)

    The Download: newsletter delivered daily

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.