PayPal goes passwordless with support for passkeys

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
According to PayPal, the new passkey technology will first be made available on iPhone, iPad, and Mac on PayPal.com before it’s expanded to other platforms. Commenting on today’s new, Doug Bland, SVP and GM, Head of Consumer, PayPal, said:
“Launching passkeys for PayPal is foundational to our commitment to offering our customers safe, secure and easy ways to access and manage their daily financial lives. We are excited to provide our customers a more seamless checkout experience that eliminates the risks of weak and reused credentials and removes the frustration of remembering a password. We are making it easier for customers to shop online.”

Once you log in to PayPal in the browser on a supported operating system, you’ll be given the option to “Create a passkey”. You can then use Apple Face ID or Touch ID to authenticate. Once the passkey is created it’ll be synced with your iCloud Keychain, and you’ll just need to authenticate to log in, rather than provide a password.

If you’re logging in on an unsupported device, you’ll be offered a QR code that you can scan with your iPhone, from there you can verify in the usual way to log in on the original device. PayPal says passkeys are now rolling out to customers in the United States and will be arriving in other countries in early 2023 and on other platforms as support for passkeys is added.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,456
The new alternative is known as passkeys. Generically, passkeys refer to various schemes for storing authenticating information in hardware, a concept that has existed for more than a decade. What’s different now is that Microsoft, Apple, Google, and a consortium of other companies have unified around a single passkey standard shepherded by the FIDO Alliance. Not only are passkeys easier for most people to use than passwords; they are also completely resistant to credential phishing, credential stuffing, and similar account takeover attacks.

On Monday, PayPal said US-based users would soon have the option of logging in using FIDO-based passkeys, joining Kayak, eBay, Best Buy, CardPointers, and WordPress as online services that will offer the password alternative. In recent months, Microsoft, Apple, and Google have all updated their operating systems and apps to enable passkeys. Passkey support is still spotty. Passkeys stored on iOS or macOS will work on Windows, for instance, but the reverse isn’t yet available. In the coming months, all of that should be ironed out, though.
Passkeys work almost identically to the FIDO authenticators that allow us to use our phones, laptops, computers, and Yubico or Feitian security keys for multi-factor authentication. Just like the FIDO authenticators stored on these MFA devices, passkeys are invisible and integrate with Face ID, Windows Hello, or other biometric readers offered by device makers. There’s no way to retrieve the cryptographic secrets stored in the authenticators short of physically dismantling the device or subjecting it to a jailbreak or rooting attack.

Even if an adversary was able to extract the cryptographic secret, they still would have to supply the fingerprint, facial scan, or—in the absence of biometric capabilities—the PIN that’s associated with the token. What’s more, hardware tokens use FIDO’s Cross-Device Authentication flow, or CTAP, which relies on Bluetooth Low Energy to verify the authenticating device is in close physical proximity to the device trying to log in. Until now, FIDO-based security keys have been used mainly to provide MFA, short for multi-factor authentication, which requires someone to present a separate factor of authentication in addition to the correct password. The additional factors offered by FIDO typically come in the form of something the user has—a smartphone or computer containing the hardware token—and something the user is—a fingerprint, facial scan, or other biometric that never leaves the device.
 

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
Secure Payments with Passkeys Is Now Available on PayPal for Google Android Devices
PayPal helps customers shop and pay with peace of mind knowing their privacy, money and purchases are protected every step of the way. We recently took another step to help customers access their account and pay securely by introducing passkeys on Apple iOS as a new, easy and secure log-in method for eligible PayPal customers. Today, we’re expanding passkeys to eligible customers on Google Android devices, starting on Android mobile web1.

Rolling out to customers now and becoming more widely available over the coming year, Android mobile device users in the U.S. running the Android 9+ operating system can now create a passkey for their PayPal personal account using the Chrome browser. Once a PayPal user creates a passkey, users won't need to remember or type in their password to log in, allowing them to check out with greater ease.

Passwords are still here to stay on PayPal. With the option to create a passkey, Android users can take the next step toward a passwordless future, today.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top