Google has a solution to the password problem

Let's face it: passwords are no longer secure enough for today's uses, with a never-ending onslaught of attacks succeeding far too often against a dated method of online security. People are generally horrible when it comes to choosing passwords, companies are equally bad at protecting their users and computers are becoming more powerful at cracking. It's the modern-day password problem.

Google believes that they have a solution to the problem, and it comes in the form of a very small USB authentication device known as the Yubico. With a slightly modified version of Chrome, when a user slides this tiny USB card in to a USB port on their PC it will automatically log them into their Google account. As the device is actually in the hands of the user it significantly reduces the chance of any unwanted external access to private accounts and sensitive data.

There are of course a few problems with Google's pilot project of these Yubico tokens, as if the small card is either lost or stolen it presents a security risk that could be greater than if you had simply used a password. Luckily, Google hopes to combine this tech with some form of simple on-computer authentication; Google VP of Security Eric Grosse says "We’ll have to have some form of screen unlock, maybe passwords but maybe something else" while the token will be the "primary authenticator".

Google also recognizes the daunting task at hand they have to get other websites in on a physical account authenticator such as the Yubico.

Others have tried similar approaches but achieved little success in the consumer world. Although we recognize that our initiative will likewise remain speculative until we’ve proven large scale acceptance, we’re eager to test it with other websites.

The protocol that they are using on the small USB device is apparently website-independent, so it's not just locked to providing a password for your Google account, and it's also software-free apart from requiring that your browser supports the hardware log-in method. Something such as this could potentially remove the need for long and complex passwords - which are basically required these days for maximum security - and imperfect two-step authentication.

If Google's pilot project is successful we may see a larger push from the tech giant to ditch passwords for this sort of USB key. Until then, please don't set your password as "password"; it only leads to disaster.

Source: Wired | Image via Google

Report a problem with article
Previous Story

New version of Skype Click to Call makes it easier to find free calls

Next Story

More purported specs of next PlayStation, Xbox leak

58 Comments

View more comments

use DNA as encryption key for your passwords!

computer: place thumb on needle
user: OUCH
computer: authentication successful
user: grumble grumble

mocax said,
use DNA as encryption key for your passwords!

computer: place thumb on needle
user: OUCH
computer: authentication successful
user: grumble grumble

Bad luck if your DNA gets broken due to illness or radiation.

GS:mac

If you DNA was "broken", whatever that is, you'd be dead.

The only reason why blood would have different DNA would be an allogeneic bone marrow transplant. They're incredibly rare, often unsuccessful due to graft-verus-host disease, and you still have plenty of your own DNA in every non-blood cell.

I don't want it to be portable USB. I don't want to be getting on the floor, under my desk just to login.

Because they are looking at Yubico's technology with their Yubikeys. I have one and it is pretty sweet. Just not too much support out there with sites using it as a login tool.

Yubikey basically is a One Time Password generator that validates against thier server via an API call which says it is you and matches the 64character password to your key's serial number via a sophisticated alogorythym. It also as challenge response authentication and more.

I'd use it if it was PC and browser independent. Chrome may be fast, but it's terrible in every other way. Shame Firefox continues to be changed more into how Chrome functions.

Course, that means having easy access to a USB drive. Oh wait, my new keyboard has a passthrough; guess that's sorted.

Still, using a password manager with massive encryption and some sort of authentication feature is all I can tolerate right now. Just having to type in a 20+ character password to login to a password manager is bad enough. But, even if I get keylogged, they still can't get into the account, so I guess I can shorten it, but bleh.

If they do release this and it is browser independent, then they need to have it link to a specific machine. Any new machines need to request authorization which has to be manually approved, like some companies are doing now (Steam, Facebook, other stuff I forgot). That's the only way to fully secure stuff without a password. Sucks for mobile users, but oh well.

Solution: Get a smart phone install authentication software on it. Still have the normal password on whatever site it is, Now once password is entered the user is prompted to get code from phone to enter in a second box. The code is on your phone..

Done. Loose phone? No problem they still need your password and lets face it you are going to notice your phone missing before one of these usb devices.

Why buy more tech when you can use what you have already, you can even go as far as putting an app on phone and connecting via usb to create one of these usb type things.

What about being logged in from multiple places, as is often needed, especially nowadays? Let me guess, you expect me to use multiple hardware "keys", yeah?
What about being logged in from devices that have no USB (or extra USB) port?

You have already failed. If you seriously expect people to be willing to deal with multiple keys like that, you are delusional.

Go back to the drawing board.

Bad article title. Google doesn't have an answer, they just want to be part of someone else's answer. The thing about passwords, if they are easy to remember they are easy to crack. If they are hard to crack, you have very little chance of remembering them. It is recommended that each site has a unique password, and that you do not write them down.

If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.
- Bruce Schneier

Using a bit of hardware to authenticate a user isn't terribly new or innovative. Comparable devices have existed since at least ... 1988.

If it works across a wide variety of sites, though, not bad.

I'll bet there's some kind of GPS in it, though ... knowing Google.

Commenting is disabled on this article.