New research from Google suggests what we all likely know to be true – your pet’s name followed by a few numbers just isn’t cutting it as a password these days. The company will be publishing a new research paper in the IEEE Security & Privacy Magazine this month, but Wired got a sneak peak, and it details a number of alternatives based on requiring physical devices, in combination with some other form of screen unlock to not only simplify the password process but also make it more secure.
Some of the possible systems they describe included embedded chips in smartphones, which is a pretty convenient method given that everyone will be carrying one anyway, and a slightly more unusual means of delivery via ring worn on the finger. I think I had a pinkie ring once when I was sixteen (it was a mistake), so personally I’d prefer something a little less flashy, but the idea is sound.
As a first step, however, they’re working with a YubiKey cryptographic card, programming it so that it can automatically log a user into their Google account on the web when inserted into a computer’s USB drive. It doesn’t require a software download or any install, just a slightly modified version of Chrome. Combined with Google’s authentication and authorization services, you can see how this would eliminate the need for complicated passwords and even potentially elaborate, “prove you’re a human” CAPTCHA processes that make logging into apps and websites a pain.
Others have tried similar systems, to strong effect. Blizzard uses the Battle.net Authenticator, which can be either a hardware device or a smartphone app for Android and iOS, to provide a temporary, secondary password to users that they can use in combination with their existing password as an added measure of protection. Likewise, Google users can enable two-step authentication, whereby a message gets sent to your phone containing a temp password in addition to your usual login credentials. The problem is that these methods are both still susceptible to phishing attempts, whereby a website masquerades as a legitimate one owned by the company which manages your account, in order to trick you into giving up your own info.
Physical device direct authentication has the benefit of not being susceptible to phishing attempts, and it also simplifies the process, meaning that it could work without an actual password for light security scenarios, and with a simple password in areas where you’re more concerned about your privacy. There’s still a risk of device theft or loss, but that’s easier to mitigate and track than malware based hacking attempts.
Online security has definitely taken steps to try to make consumers feel more protected with measures like two-step authentication, but that has also resulted in a much more cumbersome process than when we all used to just basically use our dog’s name or not even bother with a login at all. This new effort to push a hardware-based password alternative could return some of that bygone simplicity to the web, but it’ll require a considerable effort to gain widespread consumer traction. Google might have the reach and influence to do it, however, and Wired says that Google has created a universal protocol for device-based authentication that works completely independent of any of its own services, and only requires a web browser to support the standard. An open standard with Google’s backing could be just the recipe needed for the next evolution in online security.