Can hardware help kill the password? Google thinks so

Google engineers say they have been experimenting with hardware that would act as a master key for online services.
  • Jared Newman (PC World (US online))
  • — 20 January, 2013 18:12

To help the Internet move on from usernames and passwords, Google wants to put a ring on it.

Google's engineers have been experimenting with hardware that would act as a master key for online services. Examples include a smart ring for your finger, a cryptographic USB stick, or a token embedded in smartphones. Google vice president of security Eric Grosse and engineer Mayank Upadhyay outline their proposal in a research paper for this month's IEEE Security & Privacy Magazine, according to a report in Wired.

The idea is to prevent remote hackers from accessing online accounts through stolen usernames and passwords. Without physically stealing the login device, they'd have no other way to gain entry.

Some Web services already offer this type of security through two-step authentication. For instance, when you sign into Gmail on an unrecognized PC, you can have Google send a text message to your phone with a validation code. Once you enter the code, Gmail can remember that PC indefinitely.

The problem with two-step authentication is that it's cumbersome to validate all your computers, and to go through the process just to check e-mail on a friend's computer. Signing in when your phone is out of service can be an issue as well, although Google does provide 10 backup codes for that situation.

A physical device--ideally one that could communicate wirelessly to computers--would make the process easier. "We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity," Google's engineers write.

Of course, relying a ring or other device to log in raises its own challenges. There'd have to be a backup sign-in method--one that's more secure than just a password--in case the device becomes lost or damaged. And while a ring or other contact-based device would help protect users from faraway hackers, it'd be easier to steal by spouses, co-workers or children. Google's engineers admit that they might still need to require passwords, but those passwords wouldn't have to be as complex as today's hacker-proof formulas. Also, not everyone will want to wear a ring or carry their phones around all the time just to use their computers.

Web developers will have to get on board as well, or at least embrace services like Account Chooser, which would let larger services like Facebook or Google act as a master login for smaller sites. Otherwise, we'll still have to remember a whole lot of passwords for sites that don't except hardware-based authentication.

Google's not the only tech giant that's interested in replacing the password. Last year, Apple bought AuthenTec, a fingerprint scanner firm, leading to rumors that future iPhones could have fingerprint sensors built into their home buttons.

The idea of killing the password became a popular notion last year, after a clever hacker managed to wipe out the digital life of Wired reporter Mat Honan. In a sense, it was a wake-up call, but given how often major websites get hacked, a better solution now seems long overdue. Hardware solutions from the world's major tech players could be just what we need.

Tags: Google, passwords, security, Web sites

BlackBerry Hints at Complete End Point Security

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Webroot Web Security

Proactive web security that blocks threats in the cloud before they reach users’ machines, or enter customers’ networks.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).

  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.