Can hardware help kill the password? Google thinks so

Google engineers say they have been experimenting with hardware that would act as a master key for online services.

To help the Internet move on from usernames and passwords, Google wants to put a ring on it.

Google's engineers have been experimenting with hardware that would act as a master key for online services. Examples include a smart ring for your finger, a cryptographic USB stick, or a token embedded in smartphones. Google vice president of security Eric Grosse and engineer Mayank Upadhyay outline their proposal in a research paper for this month's IEEE Security & Privacy Magazine, according to a report in Wired.

The idea is to prevent remote hackers from accessing online accounts through stolen usernames and passwords. Without physically stealing the login device, they'd have no other way to gain entry.

Some Web services already offer this type of security through two-step authentication. For instance, when you sign into Gmail on an unrecognized PC, you can have Google send a text message to your phone with a validation code. Once you enter the code, Gmail can remember that PC indefinitely.

The problem with two-step authentication is that it's cumbersome to validate all your computers, and to go through the process just to check e-mail on a friend's computer. Signing in when your phone is out of service can be an issue as well, although Google does provide 10 backup codes for that situation.

A physical device--ideally one that could communicate wirelessly to computers--would make the process easier. "We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity," Google's engineers write.

Of course, relying a ring or other device to log in raises its own challenges. There'd have to be a backup sign-in method--one that's more secure than just a password--in case the device becomes lost or damaged. And while a ring or other contact-based device would help protect users from faraway hackers, it'd be easier to steal by spouses, co-workers or children. Google's engineers admit that they might still need to require passwords, but those passwords wouldn't have to be as complex as today's hacker-proof formulas. Also, not everyone will want to wear a ring or carry their phones around all the time just to use their computers.

Web developers will have to get on board as well, or at least embrace services like Account Chooser, which would let larger services like Facebook or Google act as a master login for smaller sites. Otherwise, we'll still have to remember a whole lot of passwords for sites that don't except hardware-based authentication.

Google's not the only tech giant that's interested in replacing the password. Last year, Apple bought AuthenTec, a fingerprint scanner firm, leading to rumors that future iPhones could have fingerprint sensors built into their home buttons.

The idea of killing the password became a popular notion last year, after a clever hacker managed to wipe out the digital life of Wired reporter Mat Honan. In a sense, it was a wake-up call, but given how often major websites get hacked, a better solution now seems long overdue. Hardware solutions from the world's major tech players could be just what we need.

Join the CSO newsletter!

Error: Please check your email address.

Tags GooglesecuritypasswordsWeb sites

More about AppleAuthenTecFacebookGoogleIEEE

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jared Newman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts