Skip to main content

Forget that password, Google wants to replace it with USB keys and ‘smart rings’

A quick glance through last year’s headlines is enough to tell you that typed-in passwords are not the stalwart security plan that they were in the early days of computing. Today, it’s too easy and commonplace for a popular site to be hacked and your personal information to become vulnerable. And gauging by the 2012 stats from SplashData, far too many people leave themselves open to attacks by choosing weak passwords

But what other options do we have? According to Wired, Google is looking for new choices beyond the current standard of passwords and cookies, and is researching using a physical key to lock and unlock your online things. One of the experiments by the search company includes a YubiKey cryptographic card that you simply slide into a USB port to log into Google. 

Google’s Vice President of Security Eric Grosse and Engineer Mayank Upadhyay wrote an article that’s due to appear in an upcoming issue of IEEE Security & Privacy Magazine about Google’s efforts to revitalize our password systems. They said the ideal system of protection would involve authenticating a single device, such as a YubiKey or a smartphone, that would be configured to grant you access to any of your online services. “We’d like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity,” they wrote.

It’s one of those “we’re living in the future” ideas, but it isn’t without some serious hurdles. There would have to be an airtight backup plan in case the key got lost or stolen. And most importantly, other websites and online services would have to agree to support the system. Google’s browser has needed some tweaking to work with the key authentication, so several big players would need to jump on the bandwagon for the idea to really get off the ground. 

In the meantime, Google is working on some improvements to its existing two-step authentication process. In the current system, when you – or someone pretending to be you – signs in from an unfamiliar computer, a security code gets sent to your mobile phone that you need to enter in order to complete the login. This two-step approach is an improvement from just using a user name and password, but it still doesn’t protect against phishing. So Google has an addition in development from the key-based idea that would be independent of its own services. Removing the Google affiliation for the key system would get rid of the phishing concern as well as the need for support from other sites. It’s definitely a step in a safer direction. 

(Image via jakeliefer)

Editors' Recommendations

Anna Washenko
Former Digital Trends Contributor
Anna is a professional writer living in Chicago. She covers everything from social media to digital entertainment, from tech…
How to find saved passwords on your Mac
Passwords locked on Mac.

If you opt to use iCloud Keychain over one of the popular password managers, then you already know its major benefit: Your passwords sync across your Apple devices. For example, you can save a password on your iPhone and then access it on your Mac.

With the MacOS Monterey upgrade, Apple made it even easier to see saved passwords using System Preferences. For those who’ve decided not to upgrade to Monterey, though, you can still find your passwords with Safari. Let’s take a look at how to do both.
How to find saved passwords on Mac with System Preferences

Read more
Spellcheckers in Google Chrome could expose your passwords
Office computer with login asking for password and username.

If you like to be thorough and use an advanced spellchecker, we have some bad news -- your personal information could be in danger.

Using the extended spellcheck in Google Chrome and Microsoft Edge transmits everything you input in order for it to be checked. Unfortunately, this includes information that should be strictly encrypted, such as passwords.

Read more
Google just thwarted the largest HTTPS DDoS attack in history
A depiction of a hacker breaking into a system via the use of code.

Google has confirmed that one of its cloud customers was targeted with the largest HTTPS distributed denial-of-service (DDoS) attack ever reported.

As reported by Bleeping Computer, a Cloud Armor client was on the receiving end of an attack that totaled 46 million requests per second (RPS) at its peak.

Read more