Google's password proposal: One ring to rule them all
In a forthcoming paper, Google engineers float the idea of supplementing passwords with hardware you wear. Or carry. Or slip onto a finger.
Hardly a day goes by that some high-profile person -- along with countless people of lower profile -- has an account hacked. Weak password, stolen password, non-existent password -- whatever the cause, breaking into our digital lives is easy and getting easier.
That's why Google says passwords are no longer the best solution for sensitive accounts. "We contend that security and usability problems are intractable," write Google's Eric Grosse and Mayank Upadhyay, in an article to be published later this month in IEEE Security & Privacy. "It's time to give up on elaborate password rules and look for something better."
One idea: a ring that authenticates a user's identity so a password doesn't have to.
As first reported by Wired, "something better" will likely involve hardware. Google has already made a significant foray into this arena with two-step verification, which combines something the user knows (a password) with something the user has (a single-use code, sent to a smartphone connected to the account). The paper says that "millions" use two-step verification, and that it's among the largest services of its kind in the world.
But it can also be a pain. Grosse, Google's vice president of security, and Upadhyay, an engineer, say "not nearly enough of our users are protected" by the two-step service. In the paper, they propose an alternative: a "USB token" tied to the user that plugs into a computer's USB port, communicates its identity via a website, and in so doing grants the user access to his or her accounts, without the need for passwords.
The authors note, however, that it may be difficult to persuade people to buy USB tokens. What if, they wonder, it was integrated into something a person was more likely to carry, and communicated with the computer via near-field communication or Bluetooth?
"Some more appealing form factors might involve integration with smartphones or jewelry that users are likely to carry anyway," the authors write. "We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity."
The article is well worth reading in full. It will be posted online by Jan. 28 at this address, a spokeswoman said.