Google is looking at a number of hardware-based authentication mechanisms to bypass one of security’s biggest vulnerabilities: the written password.
Wired Magazine got an advanced look at a report submitted by a Google security team for IEEE Security & Privacy Magazine that discusses alternatives to today’s most common modes to access online sites, such as Web-based e-mail, that typically involved typing a username and password into fields. Over the years, cybercriminals have taken advantage of both user’s lack of imagination with passwords to make brute-force attacks easier. They’ve also been able to extract the more creative combinations via phishing scams.
“Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” write Google VP of Security Eric Grosse and Engineer Mayank Upadhyay in the paper, which hasn’t been made public yet.
Last year Google introduced a stronger authentication system for Gmail and other Google accounts that links them to a mobile phone. If someone tries to access the sites from an unidentified computer, it can send a mobile alert to the registered user. (Of course, the user needs to have a working phone at the listed number when the alert comes through.)
Among the devices Google is eyeing is the open-source YubiKey cryptographic card that automatically logs a registered user into Google accounts using a USB drive. The YubiKey currently is used as a one-time password generator device. During the initial phase, engineers reconfigured the Chrome web browser to work with the Yubico card and without a software download.
Another is a token or chip embedded in a smartphone that can then be used wirelessly to access online accounts.
A more unusual system described in the paper involves a ring worn on a finger.
“We’d like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity,” the two men write.
Of course, an inherent weakness with hardware is losing it or having it stolen. As such, the device itself may require authentication — using more complex passwords that cannot be easily guessed.
“We’ll have to have some form of screen unlock, maybe passwords but maybe something else,” Grosse says in the Wired article. “But the primary authenticator will be a token like this or some equivalent piece of hardware.”
The Google team admits others already offer authentication via hardware, but it has yet to take off. Perhaps with the power and cache that comes from the brand, more sites will agree to beta and more web surfers will be convinced to use it.
“Others have tried similar approaches but achieved little success in the consumer world,” they write. “Although we recognize that our initiative will likewise remain speculative until we’ve proven large scale acceptance, we’re eager to test it with other websites.”