Google has a solution to the password problem

Let's face it: passwords are no longer secure enough for today's uses, with a never-ending onslaught of attacks succeeding far too often against a dated method of online security. People are generally horrible when it comes to choosing passwords, companies are equally bad at protecting their users and computers are becoming more powerful at cracking. It's the modern-day password problem.

Google believes that they have a solution to the problem, and it comes in the form of a very small USB authentication device known as the Yubico. With a slightly modified version of Chrome, when a user slides this tiny USB card in to a USB port on their PC it will automatically log them into their Google account. As the device is actually in the hands of the user it significantly reduces the chance of any unwanted external access to private accounts and sensitive data.

There are of course a few problems with Google's pilot project of these Yubico tokens, as if the small card is either lost or stolen it presents a security risk that could be greater than if you had simply used a password. Luckily, Google hopes to combine this tech with some form of simple on-computer authentication; Google VP of Security Eric Grosse says "We’ll have to have some form of screen unlock, maybe passwords but maybe something else" while the token will be the "primary authenticator".

Google also recognizes the daunting task at hand they have to get other websites in on a physical account authenticator such as the Yubico.

Others have tried similar approaches but achieved little success in the consumer world. Although we recognize that our initiative will likewise remain speculative until we’ve proven large scale acceptance, we’re eager to test it with other websites.

The protocol that they are using on the small USB device is apparently website-independent, so it's not just locked to providing a password for your Google account, and it's also software-free apart from requiring that your browser supports the hardware log-in method. Something such as this could potentially remove the need for long and complex passwords - which are basically required these days for maximum security - and imperfect two-step authentication.

If Google's pilot project is successful we may see a larger push from the tech giant to ditch passwords for this sort of USB key. Until then, please don't set your password as "password"; it only leads to disaster.

Source: Wired | Image via Google

Report a problem with article
Previous Story

New version of Skype Click to Call makes it easier to find free calls

Next Story

More purported specs of next PlayStation, Xbox leak

58 Comments

Commenting is disabled on this article.

Using a bit of hardware to authenticate a user isn't terribly new or innovative. Comparable devices have existed since at least ... 1988.

If it works across a wide variety of sites, though, not bad.

I'll bet there's some kind of GPS in it, though ... knowing Google.

If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.
- Bruce Schneier

Bad article title. Google doesn't have an answer, they just want to be part of someone else's answer. The thing about passwords, if they are easy to remember they are easy to crack. If they are hard to crack, you have very little chance of remembering them. It is recommended that each site has a unique password, and that you do not write them down.

What about being logged in from multiple places, as is often needed, especially nowadays? Let me guess, you expect me to use multiple hardware "keys", yeah?
What about being logged in from devices that have no USB (or extra USB) port?

You have already failed. If you seriously expect people to be willing to deal with multiple keys like that, you are delusional.

Go back to the drawing board.

Solution: Get a smart phone install authentication software on it. Still have the normal password on whatever site it is, Now once password is entered the user is prompted to get code from phone to enter in a second box. The code is on your phone..

Done. Loose phone? No problem they still need your password and lets face it you are going to notice your phone missing before one of these usb devices.

Why buy more tech when you can use what you have already, you can even go as far as putting an app on phone and connecting via usb to create one of these usb type things.

I'd use it if it was PC and browser independent. Chrome may be fast, but it's terrible in every other way. Shame Firefox continues to be changed more into how Chrome functions.

Course, that means having easy access to a USB drive. Oh wait, my new keyboard has a passthrough; guess that's sorted.

Still, using a password manager with massive encryption and some sort of authentication feature is all I can tolerate right now. Just having to type in a 20+ character password to login to a password manager is bad enough. But, even if I get keylogged, they still can't get into the account, so I guess I can shorten it, but bleh.

If they do release this and it is browser independent, then they need to have it link to a specific machine. Any new machines need to request authorization which has to be manually approved, like some companies are doing now (Steam, Facebook, other stuff I forgot). That's the only way to fully secure stuff without a password. Sucks for mobile users, but oh well.

Because they are looking at Yubico's technology with their Yubikeys. I have one and it is pretty sweet. Just not too much support out there with sites using it as a login tool.

Yubikey basically is a One Time Password generator that validates against thier server via an API call which says it is you and matches the 64character password to your key's serial number via a sophisticated alogorythym. It also as challenge response authentication and more.

I don't want it to be portable USB. I don't want to be getting on the floor, under my desk just to login.

use DNA as encryption key for your passwords!

computer: place thumb on needle
user: OUCH
computer: authentication successful
user: grumble grumble

mocax said,
use DNA as encryption key for your passwords!

computer: place thumb on needle
user: OUCH
computer: authentication successful
user: grumble grumble

Bad luck if your DNA gets broken due to illness or radiation.

GS:mac

If you DNA was "broken", whatever that is, you'd be dead.

The only reason why blood would have different DNA would be an allogeneic bone marrow transplant. They're incredibly rare, often unsuccessful due to graft-verus-host disease, and you still have plenty of your own DNA in every non-blood cell.

I have a better idea. Put an encrypted chip into everyone's forehead or arm and use that to buy things and use it as an ID all across the world. It's an ID and then plus it's a credit card.

You use that for a password and you are done. hmmmmm, seems like I heard of this before from somewhere.... hmmm, wonder where I read that.

This is kind of ridiculous, and here is why I think so: everybody has cell phones. Why make us carry around this tiny little chip that can easily be misplaced or lost and hassle with having to plug it into the computer? Wouldn't it be easier to use a device that everybody is already carrying around with them and pair it with the computer you want to use via Bluetooth or something? Especially if they could figure out a way to make it secure, but automatic, so all you have to do is have your phone nearby the computer? Having to plug things in to do stuff is being phased out. I don't even use optical discs anymore except to burn something for somebody else, and I rarely have to use my flash drive, which is mostly used for installing Windows.

This is nothing new, what are they smoking... But now Google will have access to all your protected sites, because the "key" will communicate with a server at Google that will store all the sites you use that leverage this key.

Wow, seriously folks, I am not about to hand Google free access to all my stuff so their server farm can mine all my private info. If I need to password protect it, it's private and I'll be the gate keeper, not Google. Same goes for those "Password Locker" apps you can download for your phone/tablet/PC.

Has the entire world been hypnotized by Google or something? Google's business is to get their hands on your stuff, your data, your actions, what you say, where you go, what you think, your behavior, the people you know and who they know and so forth. That is their business, nothing else. All of their products serve that purpose.

Computer security comes in three forms
-What you know (passwords)
-What you are (biometrics, think fingerprint readers)
-What you have (a hardware token)

The generally accepted requirement for 'safe' is using two of the above. This token and an 'unlock password' would be a pretty safe way to go. Like an authenticator, but less annoying.

you missed a big piece....location security. Laptop wise, securing the device from unauthorized access trumps all of the above. I can give you my token, password and a fingerprint and it's all meaningless if you can't even come remotely close to the device.

Rohdekill said,
you missed a big piece....location security. Laptop wise, securing the device from unauthorized access trumps all of the above. I can give you my token, password and a fingerprint and it's all meaningless if you can't even come remotely close to the device.

There's another thing to location and that is WHERE are you logging in.

I might set up an account to be only accessible with an IP from my home town if I know I only use my stationary computer with it.

Think of Facebook that is location-aware, too.

GS:mac

If you DNA was "broken", whatever that is, you'd be dead.

The only reason why blood would have different DNA would be an allogeneic bone marrow transplant. They're incredibly rare, often unsuccessful due to graft-verus-host disease, and you still have plenty of your own DNA in every non-blood cell.

EDIT: somehow this got appended to the wrong reply.

It's a cool idea, but from a paranoid point of view, the problem with everyone moving from password-based authentication to hardware/physical key based authentication (AFAIK, correct me if i'm wrong) would be that the government can issue a search warrant/whatever for a physical item like this device, but they can't force you to tell them your password. of course, they could always just get Google to log them into your account, just saying xD

but yeah, if everyone had one of these it could be interesting, especially if there was some kind of open-source JavaScript API to use it.

n_K said,
Hah - runs chrome - no thanks.

Yeah, runs Chrome and is made by Google!
A person after my own heart!!

Wouldn't touch it with any size pole.

Yeah it sounds like its something new and original but going back to an onscreen password really just makes this a google authenticator

Article
As the device is actually in the hands of the user it significantly reduces the chance of any unwanted external access to private accounts and sensitive data.

....

"Article again"
as if the small card is either lost or stolen it presents a security risk that could be greater than if you had simply used a password.

Now... what really does not make sense:

Article

Luckily, Google hopes to combine this tech with some form of simple on-computer authentication; Google VP of Security Eric Grosse says "We'll have to have some form of screen unlock, maybe passwords] but maybe something else" while the token will be the "primary authenticator".

Aren't we at the same spot again?

Jose_49 said,

Aren't we at the same spot again?

No, not quite since it's a password and what we can more or less call a key. WIth this someone can't just simply crack your password or get if from another source, without the USB-key the password is useless.

Everything I have is generated, not one I can remember.

I think the solution is to start being a little more confusing with your security.

What do you mean? How do you log in if you don't remember the password?

Also does anyone know where one can get a usb that size? It looks really neat!

Lamp0 said,
What do you mean? How do you log in if you don't remember the password?

Also does anyone know where one can get a usb that size? It looks really neat!

LastPass broski.

giantpotato said,
How do you login to LastPass if you have "not one I can remember" ?

You hysterical ******. Fine, only one password to remember with 2-factor authentication.