Mobile Commerce

PayPal Pushes Password-less Payments

PayPal will be pushing hard to advance password-free authentication now that a complete version of the Fast Identity Online (FIDO) specifications have been published, the company said in a blog post on Wednesday (Dec. 10).

PayPal was a founding member of the FIDO Alliance in early 2013. The new specification offers two protocols: a "universal second factor" (U2F) that uses passwords and a physical token, and a "universal authentication framework" (UAF) that replaces passwords completely.

"We've chosen to use the UAF specification since it's easy for our customers to use (often leveraging biometric information), acts as a full password replacement, and increases security and privacy," wrote Andy Steingruebl, PayPal's Director of Ecosystem Security. The company deployed an early UAF version for Samsung's smartphones that include a fingerprint reader.

Steingruebl said that in PayPal's FIDO implementation, the fingerprint is not stored in the cloud or on the device. Instead, it's converted to a "template" that never leaves the device. Once a user logs in with a fingerprint, the FIDO key is unlocked to verify the user's identity, and sent over an encrypted channel for online authentication. The system also prevents PayPal from tracking its customers through the protocol.

The FIDO Alliance currently includes more than 150 members, among them Visa, MasterCard, Discover, Alibaba, Bank of America, Wells Fargo, Google and Microsoft.



Banks, corporates and even regulators now recognize the imperative to modernize — not just digitize —the infrastructures and workflows that move money and data between businesses domestically and cross-border.

Together with Visa, PYMNTS invites you to a month-long series of livestreamed programs on these issues as they reshape B2B payments. Masters of modernization share insights and answer questions during a mix of intimate fireside chats and vibrant virtual roundtables.

Click to comment