Paypal Exec Aims to take Biometrics to a Whole New Level: Goodbye Passwords

The head of developer advocacy for Paypal and Braintree, Jonathan Leblanc, has an idea that will seem absurd to some, innovative to others and terrifying to  still others. The executive of the multi-billion dollar eBay subsidiary suggests in a recent presentation called “Kill All Passwords” that “true integration with the human body” is the way forward.

fingerprint passwordsHis premise is that user behavior has historically proven the system of password authentication to be inadequate. Users always seem to opt for easy passwords that can be cracked by brute force with ease, and this is not a problem that will lessen with the advancement of technology. Instead, the inverse is true: desktop computers can now run brute-force programs, given enough time, and guess user passwords. Study after study shows that the majority, not a small minority of users, decide on passwords that are not in any way secure.

Also read: How to Create a Secure Password

Two-factor authentication and encrypted databases have been the primary focus of engineers looking to solve the riddle for some time now, but Leblanc is over that. Why not just attach the account to a user’s biometrics, something that won’t be imitable for decades to come?

Leblanc’s Proposal (or Prediction)

Leblanc begins his presentation by pointing out what this article has already said: too many users are picking poor passwords. Seven percent of users, according to his presentation, use the password “password.” That is staggering when one considers that billions of people are using the web. That creates a huge market in identity theft, easy pickings, and low-hanging fruit.


Only nine of passwords are not from the list of 1000 top passwords, meaning that the overwhelming majority of passwords, despite all the money that has been invested and all the time that has been taken to ensure that users understand the risks of weak passwords, are, in a word, weak. Because of these reasons, Leblanc suggests a near-future where vein recognition, heart rate monitoring, and fingerprint scanning will all be used in concert with improved versions of existing user identification. He lists the following algorithms as being bad for security:

  • MD5
  • SHA-1
  • SHA-2
  • SHA-3

And lists the following algorithms as being, in his estimation, good:

  • PBKDF2

The latter algorithm has been used in numerous applications, and is the underpinning of numerous cryptocurrencies, including Litecoin.

Financially speaking, companies, even the most deep-pocketed, will have to decide if solutions such as those Leblanc proposed are viable. After all, issuing or requiring heart monitors of all users could be a difficult task, at least until smart watches become the norm. Culturally, there are certain groups who would never go for such a thing, such as groups who would consider a piece of technology in their blood stream to be an abomination.

No one knows what the future holds, but certainly with more things than ever being done via the Internet, the problem of password security remains a huge concern for millions of companies and individuals. When an account is compromised, so is the data it has sent to received from, in many cases. Lives have been destroyed thanks to weak passwords, and this continues to this day. While some may consider Leblanc’s proposals to be ahead of their or simply untenable for ethical reasons, others may see them as the inevitable.



P. H. Madore has covered the cryptocurrency beat over the course of hundreds of articles for Hacked's sister site, CryptoCoinsNews, as well as some of her competitors. He is a major contributing developer to the Woodcoin project, and has made technical contributions on a number of other cryptocurrency projects. In spare time, he recently began a more personalized, weekly newsletter at