PayPal's top security official is on a quest to kill passwords.

"Our intention is to really obliterate, within a certain number of years, both passwords and PINs and see the whole Internet—including internally in enterprises—obliterate user IDs and passwords and PINs from the face of the planet."

That's what Michael Barrett, chief information security officer at PayPal, told the network industry today at the Interop conference in Las Vegas. Barrett's second job is as president of the FIDO Alliance, a recently unveiled consortium trying to create an open standard that could replace passwords. Google, Lenovo, and other companies have representatives on FIDO's board of directors.

FIDO, which stands for Fast Identity Online, would work by requiring users to authenticate to their smartphone or other personal device, which then authenticates to a website (such as PayPal) using FIDO's protocols.

"There is a FIDO client or a FIDO stack that has to be on the device concerned," Barrett said. "That piece of software, think of it as a shim, knows how to talk the FIDO protocol back to the relying parties' server. Say you show up to PayPal.com once PayPal becomes FIDO-enabled, which we're in the process of doing. Once you come to our site, we will ping the device."

The device will then enumerate to the user the ways in which it can support authentication, from fingerprint sensing to eye scans.

"For most people, they authenticate to a very small set of devices. The notion is you authenticate to your device and the device authenticates securely to a [website]," Barrett said. "The credentials that authenticate you to your device are stored securely in the device and do not leave it."

Barrett said FIDO-enabled devices will become available this year. That advance will be enabled in part by smartphones supporting fingerprint readers, Barrett said, noting that Apple bought a fingerprint sensor technology company last year and is assumed to be building it into the iPhone. "That tells you there is going to be a fingerprint-enabled phone in the market later this year, not just one, but multiple, because the Android ecosystem is adapting," he said.

Phones could also authenticate a user with voice biometrics, eye scans, or facial recognition, he said. On PCs, there would be a browser plugin which could recognize the authentication methods that the system is capable of. A USB stick loaded with FIDO software could also work, allowing users to authenticate to computers they don't own. Google is reportedly working on similar ways to eliminate the password.

The FIDO website further explains:

A FIDO user will have a FIDO Authenticator or token that they chose or was given to them. This could be any authenticator type that supports FIDO such as a built-in finger scan or a USB memory drive with a password. Users may pick the authenticator type that best suits their needs. FIDO Authenticators will come in two basic variations. Identification tokens will be unique identifiers that can be connected to the user’s Internet accounts. Once they are connected to the account, they will be transparently presented each time the account is accessed as an identifier without the user needing to anything else. This will provide single factor authentication. Authentication tokens can ask the user to perform an explicit action to prove it is really the token owner. These actions could include entering a password, PIN or finger swipe. These authenticators will provide two factor authentication with the token being “something you have” and the password being “something you know” or the biometric being “something you are.”

Tokens sent from user devices to websites will hit a validation cache that "check[s] the encrypted information and one-time passwords from the tokens to ensure that a token is not being spoofed."

There will also be FIDO repositories acting as clearinghouses for token information. "A FIDO repository will coordinate with token vendors to ensure that current token information is available," the organization says. "The repository will make it easier for websites to enable FIDO because they won’t need coordination with every token vendor. By connecting to a repository this coordination and current token information will be handled already."

Do you really want your refrigerator to know your PayPal password?

The reasons for creating an alternative to passwords are fairly clear: users have to remember dozens of passwords and often choose them poorly. "Left to their devices users will pick horrible passwords and then they'll reuse them all over the place," Barrett said.

Various data breaches have exposed millions of user IDs and passwords. While passwords are typically exposed in an obscured or "hashed" form, increasingly powerful processors and password cracking programs allow even novice hackers to convert them into plain text.

The key is to make security better without making it difficult for users. Barrett showed a picture of an unwieldy-looking key ring holding a bunch of two-factor authentication devices, saying it's the actual key ring used by a PayPal security official.

"This is what we will get if we don't do something better than [passwords]," Barrett said. "And the average user will be looking for a rope and a tree, either to hang themselves or hang us, I'm not sure which."

The so-called "Internet of things" adds another wrinkle. Barrett talked about development of refrigerators that can sense what food is inside them and automatically order replacement groceries. Perhaps such technology will be commonplace in a few years—and your refrigerator will need a way to pay for food.

"It begs the question, do you really want your refrigerator to know your PayPal password?" Barrett said. "Unless we can solve that problem, life is not going to be good."

The FIDO Alliance has worked on its technology for nearly two years behind the scenes, and it started talking publicly a couple of months ago. Barrett said most advanced security mechanisms that go beyond passwords are proprietary and thus not interoperable. The FIDO Alliance aims to build a system that can be used by anyone.

The idea is certainly an exciting one. Passwords are so entrenched in daily Internet use that killing the password for good, as Barrett wants to, would be a monumental achievement. It may sound nearly impossible, but Barrett quoted Henry Ford as saying "Whether you believe you can, or whether you believe you can't—you're right."