PayPal will be pushing hard to advance password-free authentication now that a complete version of the Fast Identity Online (FIDO) specifications have been published, the company said in a blog post on Wednesday (Dec. 10).
PayPal was a founding member of the FIDO Alliance in early 2013. The new specification offers two protocols: a "universal second factor" (U2F) that uses passwords and a physical token, and a "universal authentication framework" (UAF) that replaces passwords completely.
"We've chosen to use the UAF specification since it's easy for our customers to use (often leveraging biometric information), acts as a full password replacement, and increases security and privacy," wrote Andy Steingruebl, PayPal's Director of Ecosystem Security. The company deployed an early UAF version for Samsung's smartphones that include a fingerprint reader.
Steingruebl said that in PayPal's FIDO implementation, the fingerprint is not stored in the cloud or on the device. Instead, it's converted to a "template" that never leaves the device. Once a user logs in with a fingerprint, the FIDO key is unlocked to verify the user's identity, and sent over an encrypted channel for online authentication. The system also prevents PayPal from tracking its customers through the protocol.
The FIDO Alliance currently includes more than 150 members, among them Visa, MasterCard, Discover, Alibaba, Bank of America, Wells Fargo, Google and Microsoft.