Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Privacy

PayPal is Getting More Secure Passkey Logins (theverge.com) 25

PayPal has announced today that passkeys are being added as a new, password-less login method to secure PayPal accounts for iPhone, iPad, and Mac users on PayPal.com, with plans to expand passkeys to other platforms as they add support. From a report: PayPal passkeys are rolling out to US customers today and will be available to "additional countries" in early 2023. Passkeys are a new type of login credential that replaces passwords with cryptographic key pairs. They are resistant to phishing attempts and are designed to avoid sharing passkey data between platforms, addressing the weakness of current password-based authentication.

Passkeys are supported by Apple, Google, and Microsoft, who have pledged to bring the FIDO Alliance standard to their respective OSes. Reusing passwords across online accounts leaves users open to hacking and other vulnerabilities, but remembering individual login details is no easy task without a secure password manager. A study from Verizon shows that over 2.6 billion records were hacked in 2017, with 81 percent estimated to have been caused by password stealing and guessing.

This discussion has been archived. No new comments can be posted.

PayPal is Getting More Secure Passkey Logins

Comments Filter:
  • I doubt I can memorize a practical cryptographic key pair.

    • Plus, that memorized password can be used from multiple devices. What if I'm sitting at my laptop and want to buy something with PayPal - am I supposed to now somehow find that same site and shopping cart on my phone so I can use a "Passkey" with my payment provider?

      If I can store this passkey on multiple devices which are only secured with a password, doesn't that kind of defeat the point?

    • by AmiMoJo ( 196126 )

      That's the point. You can only remember so many passwords, so you reuse them. Human memory makes for weak security.

      For many years the standard advice has been to use a password manager. The problem with passwords is that every site has different requirements for minimum and maximum length, require characters and so forth. Using a standardized crypto key allows the whole process to be easily automated and more secure.

      • being able to have access to zero cryptographic keys when my phone is lost, stolen, or broken seems less useful than knowing 30 passwords at all times.

        P.S. you can also start my car or open my front door if you know where I hid the key. But you probably won't bother to find it.

        • being able to have access to zero cryptographic keys when my phone is lost, stolen, or broken seems less useful than knowing 30 passwords at all times.

          Don't worry, you'll probably be able to get a new passkey by calling them up and giving them your mother's maiden name.

        • by AmiMoJo ( 196126 )

          That's what backup codes are for. When you generate the Passkey you get a set of single use codes that you can store securely somewhere, in case you lose access to your Passkey. Google will also save them to your Google account, but I assume you are too paranoid to trust that.

  • From the featured article:

    Passkeys are a new type of login credential that replaces passwords with cryptographic key pairs.

    It links to a previous article [theverge.com] stating:

    Passkeys work by letting you log in to an app or website with just your username and your pre-authenticated device — which uses a cryptographic token instead of a password

    Is this the same concept as TLS client certificates, just with better user interface for enrollment, selection, and sharing across a user's devices? Also, the article lists macOS, iOS, Windows Hello, and Android, leaving other operating systems conspicuous by their absence. Is X11/Linux not invited?

    • by AmiMoJo ( 196126 ) on Monday October 24, 2022 @05:09PM (#62994865) Homepage Journal

      It's a bit different to TLS client certificates. In the case of TLS the client certificates are handed out by the server, and signed with a private key. That's not ideal for user sign up, because a certificate would need to be generated for each user from the private key, meaning the private key needs to be somewhere accessible to an internet facing server that handles the sign up process. Ideally with TLS you want to keep your private key offline where it can't be hacked so easily.

      I suppose you could generate loads of certificates in advance and make those available the the public server, but then you risk having loads of certificates stolen, i.e. every new account that gets created is already 0wned, or you can create fake accounts etc.

      With Passkeys the browser handles the secret. If you computer is hacked to the point where the secret can be extracted then it's game over anyway, and only one person's accounts were compromised.

  • by bugs2squash ( 1132591 ) on Monday October 24, 2022 @04:24PM (#62994775)
    These damn apps track you everywhere, why not just present the user with a bunch of addresses(some real some bogus) and ask the user to confirm where they were last week
  • Just in time (Score:4, Interesting)

    by AmiMoJo ( 196126 ) on Monday October 24, 2022 @05:18PM (#62994883) Homepage Journal

    Great timing on PayPal's part. I deleted my PayPal account a couple of years back when eBay no longer required it. PayPal has been insecure since the start, and by inserting themselves as middlemen they not only add cost, they make it harder to do chargebacks.

    Is there any reason to have a PayPal account now? You don't need it for eBay, and you can pay via PayPal without an account for sites that are stuck on it. Most banking apps have similar money transfer features for paying friends, the original ideal and source of the name.

    • by Anonymous Coward

      I've stopped using it in the last month. Suddenly they produced a demand, out of nowhere, for a photograph of me. WTF?

      In a year where state hackers have broken open and stolen my personal information from telephone company, medical and government institutions, Payfukinpal wants me to make me even more vulnerable. There is no reason, nil, nada, that a 20 year old account in good order suddenly needs a photograph "to keep it safe".

      F them.

      • I tried to delete my account and they not only wanted a photograph but also a govt issued id card.

        It was easier to cancel the associated credit card account and filter out their email than to work through their "customer support."

        • They also lost a lot of customers last week with their weird, since walked back, "If you post disinformation, we will "fine" you." statement.
    • Is there any reason to have a PayPal account now?

      PayPal is still useful for person-to-person payments from a desktop or laptop computer.

      Most banking apps have similar money transfer features for paying friends

      Cash App, for example, requires either an iPhone or an Android phone with Google Play. It is not available on Amazon Appstore (I checked 5 minutes ago) and therefore not compatible with Windows 11 WSA or other Android implementations for computers that use Amazon Appstore. There appears to be no way to sign up or pay friends from a computer running Windows, macOS, or X11/Linux.

  • Is the service just a service that allows me to send and recieve money?
    Is it still a fake bank that want you to buy crypto?

In order to dial out, it is necessary to broaden one's dimension.

Working...