By gizgastore Comments
Tech juggernaut Google seems to be preparing to move away from passwords, which have long been a weak point of digital security, in favor of dedicated devices. But first it just has to convince the rest of the Internet to go along with their scheme.
According to Wired, next month's edition of the journal IEEE Security & Privacy Magazine will carry a report by Google's VP of security Eric Grosse and engineer Mayank Upadhyay that outline their vision for a world without passwords.
The authors reportedly describe a scenario where a single device is used to seamlessly confirm users' identity. In their experiments, Grosse and Upadhyay used a tiny cryptographic USB card called a YubiKey with a modified version of Google Chrome. However, they hope to take the technology wireless and perhaps integrate with devices users already have—such as mobile phones.
Of course, if you lose your authenticator device, you could be in trouble.
Not Just Google
The important piece of the research is that it extends beyond Google. According to Wired, the pair of Googlers have developed a Google-independent protocol that requires no special software to authenticate a security device. It even includes measures to prevent websites from tracking users via their security devices, and only requires that the user be running a browser that supports the protocol.
Wired points out that Google, along with other major websites, has recently taken efforts to embolden passwords with two-step verification systems. In the case of Google, users are texted a six-digit code to enter when logging in from a new computer, or they can use a special app which generates entry codes.
Facebook, Dropbox, and other major services are beginning to offer similar options. However, Google seems unconvinced. The study says, according to Wired, “along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe.”
Better Security Now
We've seen other options that either enhance, or remove, the need for passwords. Biometric systems, where a fingerprint or other unique bodily aspect is used as an identifier, have failed to gain traction despite being on the market for decades. That might be changing, and it would be interesting to see how much choice Google's set up will allow for identification.
Passwords will surely remain the mainstay of digital security for the masses, but until things change there are a few things users can do. The most obvious, of course, is to avoid repeating passwords for different services. Even if your password is very strong, you risk greater danger by spreading it around. Password generators can help with this, and most password managers (including Keychain, bundled with OS X) will both generate and store users' passwords.
I've recently switched over to using generated passwords and storing them with a password service. I've also engaged two-step verification wherever it is available. But what Grosse and Upadhyay describe is even more appealing because it not only sounds secure, it sounds eminently easy. I can't wait.