On April 11th the Samsung Galaxy S5 will be released in more than 100 countries around the world. Owners of Samsung’s latest flagship will be able to do something with their new device that they can’t do with any other, authorize PayPal payments using their fingerprints. Apple may have reignited the interest in fingerprint sensors, but its only good for authorizing purchases on iTunes and unlocking the iPhone 5s for now. Galaxy S5 goes above an beyond, being the first commercial implementation of an authorization protocol developed by the FIDO Alliance, which counts Microsoft, Google, Lenovo, BlackBerry, MasterCard and PayPal as members.
To start authorizing PayPal payments using the fingerprint sensor on Galaxy S5, users first have to go through a short setup process. It basically registers the device’s identity based on its cryptographic chip and then links the user’s fingerprint to their PayPal account. Once this is up and running, PayPal only asks for a fingerprint swipe when a payment needs to be authorized. Generally it asks for a log-in, and will continue to do so on devices that don’t support this protocol.
The protocol has been designed to never let the fingerprint record leave the device. What it does instead if use the sensor’s output to generate cryptographic keys which are then combined with keys from the device’s cryptographic chip to create a new key. This key can’t be used to copy the fingerprint used to make it.
So far the Galaxy S5 is the only consumer device that supports PayPal’s FIDO-based authorization system. PayPal hasn’t said if there are upcoming devices in the pipeline that will support the system as well.