New research
from Google suggests what we all likely know to be true – your pet’s name
followed by a few numbers just isn’t cutting it as a password these days. The
company will be publishing a new research paper in the IEEE Security
& Privacy Magazine this month, but Wired got a sneak peak, and it details a number of
alternatives based on requiring physical devices, in combination with
some other form of screen unlock to not only simplify the password process but
also make it more secure.
Some of the
possible systems they describe included embedded chips in smartphones, which is
a pretty convenient method given that everyone will be carrying one anyway, and
a slightly more unusual means of delivery via ring worn on the finger. I think
I had a pinkie ring once when I was sixteen (it was a mistake), so personally
I’d prefer something a little less flashy, but the idea is sound.
As a first
step, however, they’re working with a YubiKey cryptographic card, programming it so that
it can automatically log a user into their Google account on the web when
inserted into a computer’s USB drive. It doesn’t require a software download or
any install, just a slightly modified version of Chrome. Combined with Google’s
authentication and authorization services, you can see how this would eliminate
the need for complicated passwords and even potentially elaborate, “prove
you’re a human” CAPTCHA processes that make logging into apps and websites a
pain.
Others have
tried similar systems, to strong effect. Blizzard uses the Battle.net
Authenticator, which can be either a hardware device or a smartphone app for
Android and iOS, to provide a temporary, secondary password to users that they
can use in combination with their existing password as an added measure of
protection. Likewise, Google users can enable two-step authentication, whereby
a message gets sent to your phone containing a temp password in addition to
your usual login credentials. The problem is that these methods are both still
susceptible to phishing attempts, whereby a website masquerades as a legitimate
one owned by the company which manages your account, in order to trick you into
giving up your own info.
Physical
device direct authentication has the benefit of not being susceptible to
phishing attempts, and it also simplifies the process, meaning that it could
work without an actual password for light security scenarios, and with a simple
password in areas where you’re more concerned about your privacy. There’s still
a risk of device theft or loss, but that’s easier to mitigate and track than
malware based hacking attempts.
Online
security has definitely taken steps to try to make consumers feel more
protected with measures like two-step authentication, but that has also resulted
in a much more cumbersome process than when we all used to just basically use
our dog’s name or not even bother with a login at all. This new effort to push
a hardware-based password alternative could return some of that bygone
simplicity to the web, but it’ll require a considerable effort to gain
widespread consumer traction. Google might have the reach and influence to do
it, however, and Wired says that Google has created a universal protocol for
device-based authentication that works completely independent of any of its own
services, and only requires a web browser to support the standard. An open
standard with Google’s backing could be just the recipe needed for the next
evolution in online security. [TechCrunch]
You can follow
me on
Twitter, add me to your circles on Google+ or Subscribe to me on FaceBook or YouTube. You can also check my Website and Blog to keep yourself updated with what is
happening in the ever changing world of technology
No comments:
Post a Comment