Top Google bods are mulling over using cryptographic finger-ring gadgets and other ways for users to securely log into websites and other services.
The ad giant's security veep Eric Grosse and engineer Mayank Upadhyay have submitted the paper Authentication at Scale to the IEEE Security & Privacy Magazine; their central argument is that weak passwords are a bigger threat to online security than malware infection, hacker attacks or espionage. Passwords, as they stand, need to go, in the pair's opinion, but this process won't happen overnight:
In working to keep cloud computing users' data safe, we observe many threats - malware on the client, attacks on SSL, vulnerabilities in web applications, rogue insiders, espionage - but authentication related issues stand out amongst the biggest. When trying to help hundreds of millions of people from an unbelievable variety of endpoints, attitudes, and skill levels, what can possibly displace plain old passwords? No single thing, nothing overnight, and nothing perfect. A combination of risk-based checks, second-factor options, privacy-enhanced client certificates, and different forms of delegation is starting to find adoption towards making a discernible difference.
Google introduced a two-stage login process for its Gmail website two years ago. This optional two-factor verification adds an extra layer of security to Google accounts by linking them to a registered mobile phone number. Users are asked for a code sent to them by text every time they try to log into their accounts from a new computer, a minor inconvenience for legitimate users that makes life far trickier for account hijackers and other criminal hackers.
Looking further ahead, Google is experimenting with Yubico cryptographic USB cards that generate one-time passcodes (OTP) for logging into websites. The YubiKey combines a public ID number unique to the key with a series of bytes generated on the fly to produce a one-off code that, when used with an account username and password, will log the user into the service for that one particular session. The magic code consists of a secret value, a timestamp, some counters and a few random bytes encrypted using 128-bit AES, and then inputted into the computer via USB as if typed into a keyboard.
Pressing the gold disc-like button on the keyboard generates and outputs the new unique code; the incrementing counters ensure no one can copy and reuse the OTP, and the public ID number in the key links the gadget to the account username. One step on from that involves replacing the USB connection with wireless radio tech and building it into a finger-ring. And then getting enough websites and services to use it.
“We’d like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity,” Grosse and Upadhyay wrote.
“Others have tried similar approaches but achieved little success in the consumer world. Although we recognize that our initiative will likewise remain speculative until we’ve proven large scale acceptance, we’re eager to test it with other websites.”
It is understood Grosse and Upadhyay have developed a protocol for device-based authentication independent of Google that will also prevent websites from tracking users. ®