Google aims to replace passwords with ID ring
THE struggle to remember several long and increasingly complicated passwords simply to carry out everyday web tasks could soon become a thing of the past, if Google gets its way and introduces a ring that can confirm your identity online.
In a research paper, two security experts at the web giant have outline a future in which the main way of guaranteeing we are who we say we are online will be possession of a physical token, perhaps embedded in smartphones or even jewellery.
They have added to growing claims that passwords are both inherently insecure and increasingly impractical.
To more make them more difficult for criminals to guess, web services have forced people to use longer passwords with different types of characters, but that also makes them more difficult to rememeber. To add to the headache, experts also advise against using the same password for different services, to reduce the impact if one is hacked.
“Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” said Google vice president of security Eric Grosse and engineer Mayank Upadhyay, in an article to be published in an engineering journal.
Cookies are small text files issued by websites to web browser software to keep visitors logged in once they have entered their password.
“We’d like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity,” the Googlers wrote.
Grosse and Upadhyay said they are currently experimenting with YubiKey, a tiny USB stick that implements highly secure “one time pad” cryptography to log in to Google services, as a replacement for passwords. In the future, they want similar authentication technology to work wirelessly and across all of a person’s online accounts.
"We’ll have to have some form of screen unlock, maybe passwords but maybe something else,” Grosse said, Wired reports. “But the primary authenticator will be a token like this or some equivalent piece of hardware.”
Security experts have pointed to the problems with passwords for years, and suggested alternatives, but none have been widely adopted because they would require web services to adopt standards.
Grosse and Upadhyay’s paper is attracting attention because coming from the world’s biggest web company, it may stand a better chance of success.
“Others have tried similar approaches but achieved little success in the consumer world,” Grosse and Upadhyay wrote.
“Although we recognize that our initiative will likewise remain speculative until we’ve proven large scale acceptance, we’re eager to test it with other websites.”
Given the rivalries online and the low cost and ubiquity of passwords, progress remains a tall order, however. Bill Gates predicted the death of passwords at a security conference in 2004.
Christopher Williams Telegraph.co.uk