Mountain View, California — As our lives increasingly move to the cloud, hardly a day goes by that some high-tech nerd coolly breaks into our digital lives and is getting easier by day, hence, the need for stronger passwords is more important than ever. In its quest to counter this malicious act, tech juggernaut Google seems to be preparing to move away from passwords, which have long been a weak point of digital security, in favor of dedicated devices. But side from avoiding easy-to-guess passwords, first it just has to convince the rest of the Internet to go along with their scheme.
Google engineers are examining ways to stop using passwords, which they believe are no longer enough to keep users safe. The company is now exploring new tools that could replace passwords as the primary way of authenticating identity on the web–like a USB-based card from Yubico that would sign you into your Google account when inserted into a device.
According to Wired, a new Google research paper, set to be published in the next month’s edition of the IEEE Security & Privacy Magazine, but already seen by Wired Magazine, carries a report by Google’s VP of security Eric Grosse and engineer Mayank Upadhyay that outline their vision for a world without passwords.
“Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” write Google’s Grosse and Upadhyay in the paper. “We would like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity,” they continue.
The report emphasizes the lack of protection passwords offer internet users and the growing need to reinvent the authentication system to ensure safe surfing. The paper also raises a very strong argument for the abolition of traditional internet passwords in favor of a physical token such as a ‘smart ring’ or a card that connects to the computer via the USB slot.
The authors reportedly portrays a scenario where a single device is used to effortlessly confirm users’ identity. Google is currently running a pilot thatemploys a YubiKey cryptographic card developed by Yubico — a startup operated out of Sweden and the US, which has produced a two-factor authentication fob that can emit encrypted one-time passwords to NFC-enabled smartphones. Of course, if you lose your authenticator device, you could be in trouble.
The YubiKey NEO fob. (Credit: Yubico)
In their experiments, Grosse and Upadhyay gave Wired a sneak peek at their paper, stating that by employing a cryptographic card from Yubico, which empowers the user to log into Google services like Gmail, Drive, or Chrome. As Wired noted, the Googlers had to make some changes to Chrome in order to get the cards to authenticate, but once that was in place, it did not require any additional installation — registration can be completed in one click.
“We are focused on making authentication more secure, and yet easier to manage,” a Google spokesman said in a statement. “We believe experiments like these can help make login systems better.”
However, the duo does not anticipate that passwords will completely disappear, but that they will have a less significant role in authenticating ID, playing second fiddle to smartphones or chip-embedded things as the primary authenticator.
“We would like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity,” Wired quoted the duo as saying, hinting at the use of NFC capabilities already available in smartphones such as Samsung’s Galaxy S3.
As a matter of fact, barely a week passes by without a report of a high profile website or web service — from Google Mail to Yahoo to Sony — being hacked and account details being compromised. In August a single Drop Box employee’s account was hacked and the attackers obtained a treasure trove of users’ email addresses. In June last year, hackers stole 6 million LinkedIn passwords and posted them to a Russian site to crowdsource the key to their encryption.
Admittedly, the threat of malware and phishing attacks has never been greater. Use of a physical token for identification would cancel out all of these threats, and if any company has the power and influence to change the way users are authenticated on the web, it is Google.