From Voice Biometrics Conference San Francisco (May 8-9, 2013), Michael Barrett, Chief Information Security Officer, PayPal -- With the explosive growth of electronic commerce and mobile banking, the need for strong authentication is growing. PayPal is helping spearhead the FIDO Alliance, which introduces a viable alternative to passwords with a standards-based approach to authentication that raises security and ensures privacy, while simplifying authentication. FIDO unleashes vast potential for both existing and many new markets. The question is: "How big is the market opportunity for voice and all biometrics in a FIDO enabled world?"
2. Opportunity for Better Authentication is Upon Us
Passwords Just Do Not Work…
For Users For Organizations
Painful to Use
• 25
Accounts
• 8
Logins
/
Day
• 6.5
Passwords
Difficult to Secure
• $5.5M / Data Breach
• $15M / PWD Reset
• $60+ / Token
For the Ecosystem
Impossible to Scale
• Fragmented
• Inflexible
• Slow to Adopt
3. Common experiences related to authentication
failure (respondents who say it happened to them
one or more times over the past 2 years)
Users are frustrated -
password complexity
requirements working
against them instead
of supporting them
Experiences with Identity and Authentication
4. JUST EASY
SECURE & EASY
JUST BAD
HighSecurityLow
UNPLEASANT
Low HighUsability
Security is not a Continuum…
5. DO YOU REALLY WANT YOUR
REFRIGERATOR TO KNOW YOUR PAYPAL
PASSWORD?
Do You Really Want Your Refrigerator to Know Your
PayPal Password?
9. How FIDO Works
FIDO Authenticators
Website
Browser
FIDO Plugin
Device Specific
Module
6
4
1
2
3 5
Validation
Cache
secret secrets
refresh
Vendor Tokens
FIDO
Repository
10. • User picks their own token type
• User decides when/if to bind their
token to their account
• Existing tokens (like finger) can be
used by downloading the FIDO
plugin
• User can download the plugin from
various sites
• User could have a PIN-protected
USB drive to use while travelling
The FIDO “User” Experience
11. Please say your passphrase to log into your
account
Speak
Voice Experience
14. Ø The Internet needs better authentication, now
Ø Stronger authentication is not “better
authentication”
Ø An industry standards based approach is the
only viable way forward
Ø “Whether you believe you can do a thing, or
not, you are right” (Henry Ford)
15. Michael Barrett, CISM, CISSP
Chief Information Security Officer
mbarrett@paypal.com
PayPal
TM
Thank You for Your Time!