January 18, 2013
One Ring To Rule Them All: Google Wants To Replace Passwords
Michael Harper for redOrbit.com — Your Universe Online
According to a report by Wired, Google is looking to do away with password access to their line of services, opting instead for a ring on your finger or a card in your wallet. Google vice president of security Eric Grosse and engineer Mayank Upadhyay have now written about this possibility in a paper, which is set to be published this month in the journal IEEE Security & Privacy Magazine. In it, they detail all the ways we could one day log into services and websites, including the aforementioned card or ring.
“Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” write Grosse and Upadhyay in their IEEE paper. Along with rings and cards, the pair even suggests that a smartphone could be used to provide proper credentials when logging into websites and services.
"We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity.”
Wired suggests 2012 may have been the year the password “broke,” which is not an unfair statement. In 2012 alone, millions of people had their online identities jeopardized when hackers broke into servers from eHarmony, Last.Fm, LinkedIn and Yahoo and spread encrypted passwords across the expanse of the Internet. These days, encryption is a small hurdle for hackers to jump, as large clusters of computers can be enlisted to perform all the calculative heavy work of cracking the encryptions. In some cases, these companies use weak encryptions, making it even easier to break the code. Even Wired´s own Mat Honan had his entire digital life hacked and nearly deleted in an attempt to take over his 3-character Twitter handle.
In order to make the world a little more secure, Grosse and Upadhyay are looking towards a tiny card from Yubico, a security company with offices in California, Sweden and the UK. This cryptographic card fits in any USB slot and can be used to automatically log a user into their Gmail account, for instance. The pair have had to tweak Chrome in order to get it to play nicely with the Yubico cards, but once the support is there, users won´t have to download any extra software to use the card. Such a configuration would be a true “plug and play” type of solution for Google users.
Like most things in life, we must be willing to sacrifice one thing to gain more of another. For instance, the password “1234” is incredibly easy to remember (and unfortunately, quite common) but it isn´t secure. On the other hand, the password “h^gLS8Fbc90^)!” will be tough to crack, but not very convenient or easily remembered.
Moving your credentials to a physical ring or card offers more convenience, but it also gives you one more very important thing to lose, making it a little less secure.
Grosse and Upadhyay write that rings and other tokens will be the primary authenticator, but there will be other ways to authenticate your credentials online.
“We´ll have to have some form of screen unlock, maybe passwords but maybe something else,” says Grosse, “but the primary authenticator will be a token like this or some equivalent piece of hardware.”
For now, the two are creating this protocol separately of Google in order to bring other websites into the mix.