Ah, the password. Over time, our passwords have evolved from simple pet names or favourite words to more complex concoctions containing capital letters and numbers. If you’re like me, you have assorted passwords you use for the various accounts you have created on the web. It’s getting to be a nuisance trying to remember which password you use for a particular service, leading some of us to use apps to keep track of this mess.
On top of the organizational problems inherent with password authentication, truth be told, it’s not even that secure anymore. Phishing is becoming a big threat to our security. As such, various services on the web have been getting behind two-step verification systems, but even that is more annoying. So, what’s next?
In a paper to be published later this month in IEEE Security & Privacy Magazine, Google’s President of Security Eric Grosse and Engineer Mayank Upadhyay confirm that “passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe.” The paper describes how Google thinks users will be logging into websites in the future, envisioning an authentication method involving a physical device, such as a miniscule USB key.
Researchers at Google have been working with YubiKey’s cryptographic cards in particular, requiring few changes to Chrome in order for users to log into their services with the device. The key can log a user into their Google account when inserted into a computer’s USB drive. When using it to gain access to your services, you’ll also be required to enter a PIN confirming your identity. To make things even more interesting, Google plans on incorporating the key’s physical token into a ring on your finger, or perhaps some sort of chip that will be embedded into a smartphone.
Google knows it needs to amass support from the thousands of services out there on the web. As such, the company plans on laying the foundations for this to happen rather soon, “Although we recognize that our initiative will likewise remain speculative until we’ve proven large scale acceptance, we’re eager to test it with other websites.”
Google has created a protocol for this physical device authentication system, and it apparently works independently of Google. This will be good news to those who are concerned about the amount of information the search giant already has on its users.
Check out Wired magazine’s article in the source link for more information about the paper and Google plans for a more secure future.
[Wired]