|Google is running a pilot project to see
if these USB-based Yubico log-on devices might
help it solve the password problem
Want an easier way to log into your Gmail account? How about a quick tap on your computer with the ring on your finger?
This may be closer than you think. Google’s security team outlines this sort of ring-finger authentication in a new research paper, set to be published late this month in the engineering journal IEEE Security & Privacy Magazine. In it, Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay outline all sorts of ways they think people could wind up logging into websites in the future — and it’s about time.
2012 may have been the year that the password broke. It seemed like everyone on the internet received spam e-mail or desperate pleas for cash — the so-called “Mugged in London” scam — from the e-mail accounts of people who had been hacked. And Wired’s own Mat Honan showed everyone just how damaging a hack can be.
The guys who hacked Honan last August deleted his Gmail account. They took over his Twitter handle and posted racist messages. And they remote-wiped his iPhone, iPad, and laptop computer, deleting a year’s worth of e-mails and photographs. In short, they erased his digital life.
Passwords are a cheap and easy way to authenticate web surfers, but they’re not secure enough for today’s internet, and they never will be.
Google agrees. “Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” Grosse and Upadhyay write in their paper.
Thus, they’re experimenting with new ways to replace the password, including a tiny Yubico cryptographic card that — when slid into a USB (Universal Serial Bus) reader — can automatically log a web surfer into Google. They’ve had to modify Google’s web browser to work with these cards, but there’s no software download and once the browser support is there, they’re easy to use. You log into the website, plug in the USB stick and then register it with a single mouse click.
They see a future where you authenticate one device — your smartphone or something like a Yubico key — and then use that almost like a car key, to fire up your web mail and online accounts.
In the future, they’d like things to get even easier, perhaps connecting to the computer via wireless technology.
“We’d like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity,” the Googlers write.
The future may not exactly be password-free, but it will at be least free of those complex, hard-to-remember passwords, says Grosse. “We’ll have to have some form of screen unlock, maybe passwords but maybe something else,” he says, “but the primary authenticator will be a token like this or some equivalent piece of hardware.”
That means that if someone steals your card or your smart-ring, you’d better report it stolen pretty quickly.
Grosse and Upadhyay believe that once enough websites support this device-centric login technique, people mostly won’t need strong passwords, except in rare occasions — when they’re making significant changes to their account, for example.
But for Google’s password-liberation plan to really take off, they’re going to need other websites to play ball. “Others have tried similar approaches but achieved little success in the consumer world,” they write. “Although we recognize that our initiative will likewise remain speculative until we’ve proven large scale acceptance, we’re eager to test it with other websites.”
So they’ve developed a (as yet unnamed) protocol for device-based authentication that they say is independent of Google, requires no special software to work — aside from a web browser that supports the login standard — and which prevents web sites from using this technology to track users.T
he great thing about Google’s approach is that it circumvents the really common attack that even Google’s existing mobile-phone authentication system can’t prevent: phishing.
Two years ago, Google introduced a two-step login option, which makes it harder for criminals to break into your account. With this option, Google typically sends users a secret code via text message every time they try to log into their accounts from a new computer.
The problem is that if criminals can convince you that you’re visiting Gmail even when you’re not, they can trick you into entering that secret code. In fact, the bad guys can even turn two-step authentication against legitimate users. Sometimes, they add their own phone number to the account “just to slow down account recovery by the true owner,” the paper states.
What do you do in the meantime? Well, you use that existing two-step authentication. It’s not perfect. But it’s better than just a password.
The good news is that people are actually using it — and we can thank Mat Honan for that. Honan’s story inspired a lot of people to lock down their Gmail accounts by linking them to their mobile phones.
“In the two days following Mat’s Wired article, a quarter-million people signed up for two step authentication,” says Grosse. He can’t say exactly how many people sign up on a typical day, but “it’s much less than that,” he says.
You can see the Epic Hack spike here, in this graph provided by Google:
Everyone logs into Google services like Gmail using a user name and password, but with Google’s two-step process, when you’re logging in from an unfamiliar computer, you also get a six-digit number messaged to your phone that you must enter before you can log in.
Honan says that if he’d had two-step authentication on his Gmail account, the whole incident probably would not have amounted to anything. But until the spammers and scammers decide to call it quits, we still need that Google ring.