A quick glance through last year’s headlines is enough to tell you that typed-in passwords are not the stalwart security plan that they were in the early days of computing. Today, it’s too easy and commonplace for a popular site to be hacked and your personal information to become vulnerable. And gauging by the 2012 stats from SplashData, far too many people leave themselves open to attacks by choosing weak passwords.
But what other options do we have? According to Wired, Google is looking for new choices beyond the current standard of passwords and cookies, and is researching using a physical key to lock and unlock your online things. One of the experiments by the search company includes a YubiKey cryptographic card that you simply slide into a USB port to log into Google.
Google’s Vice President of Security Eric Grosse and Engineer Mayank Upadhyay wrote an article that’s due to appear in an upcoming issue of IEEE Security & Privacy Magazine about Google’s efforts to revitalize our password systems. They said the ideal system of protection would involve authenticating a single device, such as a YubiKey or a smartphone, that would be configured to grant you access to any of your online services. “We’d like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity,” they wrote.
It’s one of those “we’re living in the future” ideas, but it isn’t without some serious hurdles. There would have to be an airtight backup plan in case the key got lost or stolen. And most importantly, other websites and online services would have to agree to support the system. Google’s browser has needed some tweaking to work with the key authentication, so several big players would need to jump on the bandwagon for the idea to really get off the ground.
In the meantime, Google is working on some improvements to its existing two-step authentication process. In the current system, when you – or someone pretending to be you – signs in from an unfamiliar computer, a security code gets sent to your mobile phone that you need to enter in order to complete the login. This two-step approach is an improvement from just using a user name and password, but it still doesn’t protect against phishing. So Google has an addition in development from the key-based idea that would be independent of its own services. Removing the Google affiliation for the key system would get rid of the phishing concern as well as the need for support from other sites. It’s definitely a step in a safer direction.
(Image via jakeliefer)
This has been tried before… People lose them, websites or apps won’t want to agree on the API due to risk and legal issues. Biometrics also didn’t get a big adoption, people are wary and trust isn’t there with the large companies. Nope, the password isn’t going anywhere soon.
The military uses them… Only their smart cards…
Common Access Cards used by the Military with a built in card reader work well.
Something tells me that the technology to make the password obsolete has not been invented yet, or at least it has not been adopted in mass. I don’t think the USB drive is the solution. This will require a completely different paradigm switch from the current proposed solutions.
Biometrics.
This still won’t solve the problem mentioned in the 1st paragraph. All authentication (traditional, key, biometrics, etc) have to be compared to information on the server. If the server compromised then people have access to that info and would just have to build a program that emulates the login procedure (in this case fake usb key software). This is a problem that is part of ANY remote login system. The only way to ensure security is on the server end, not the user end.
YubiKey, old nes
But would I trust google? NOPE
Hell NO!
Why carry a key around, when remembering doesn’t require any carrying?
There’s several challenges facing existing cryptographic methodologies, but it’s the advancement of computation to quantum states vs classical binary states that makes google’s proposed physical keys and all existing methods useless, the DARPA teams are already advancing potential solutions, ibm has a compelling circuit configuration and major research institutions have been tweaking algorithms that have been implemented in quasi-quantum computer. Either way, the future of cryptography and technology is more fluid now than ever, RSA will be useless with quantum computation… It’s probably time for this corporate teams to take a long term approach to solving this problem, vs the ones that seem to keeps shareholders running to the bankers with their pockets full.
Because we never lose out keys…
Return if the dongle, again.
LOL hell no. i would not put my 20 different codes on a memory stick.. LMAO i might just as well put them in a “picture” and post it on FB then..
No