Google Wants to Ditch the Password – Sounds Lovely

4,467 4 Loading

Memorizing numerous passwords is inconvenient. This is known. To counteract said inconvenience, many people use memorable (read: hackable) passwords on multiple sites. Which is a shame because security experts advise that, at a minimum, we use different, random, alpha-numeric strings for every website and switch them out every few months. Kind of the opposite of convenient. And even this method provides but a fig leaf of security.

Google knows all this. So, in a soon-to-released paper they’ll outline their preferred solution—a USB stick called Yubikey. Yubikey is a small USB-compatible security stick that draws power from your PC (no battery) to generate and send a one-time-use random authentication password on your behalf. Eventually, Google wants to go wireless with the technology, implanting it in cellphones or specially equipped rings.

Yubikey USB stick. Image Credit: Yubico.

Trash talking passwords isn’t in any sense new, and Google’s been at it for a few years. In 2010, they instituted two-step verification—adding a texted code to user passwords. Two-step verification is more secure because it relies on something you know (your password) and something you have (your phone).

And would it surprise you to learn registration jumped after Wired’s Matt Honan was hacked in 2012? Well, it did. Online security is a hot topic.

Two-step verification and password generating key fobs may make accounts more secure than they are currently—but you can still lose your phone or Yubikey. What else is out there?

Biometrics are an already common alternative solution used on local machines like laptops. Human fingerprints and irises are like snowflakes—complex and unique. Biometric security scans a body part like your thumb, iris, or even entire face to prove your identity. The idea is you won’t (hopefully) lose these identifying characteristics, and they are difficult to duplicate. There is no reason biometrics can’t be used to enhance online security—perhaps by developing scanner apps for smart phones.

Meanwhile, the Defense Advanced Projects Agency (DARPA) wants to identify users by their keystrokes. According to researchers at Carnegie Mellon University, the way we type is as distinctive as our handwriting. Prolonged pauses between certain letters or the rhythm with which we type words are distinctive identifiers. A computer equipped to recognize such nuances would know you as soon as you’d typed in a username and could even monitor your patterns throughout a session.

Of course, neither of these options is foolproof—fake hands designed from pilfered fingerprints can fool biometric devices. And a hacker can record keystrokes, perhaps enabling them to mimic your typing style. The truth is, there may never be a perfect method of cybersecurity—one can only hope to throw enough roadblocks up to slow or dissuade potential hackers.

But just about anything is better than a password. So the question is: Alternative technologies have been around for awhile—why haven’t they gone mainstream?

Password security is inconvenient for users—but convenient for online businesses. To create real change, service providers need to adopt new methods in sufficient numbers to make them useful. The good news is that if anyone has the clout to persuade web sites to support non-password security, it’s Google. And to speed the process, Google says they've already built and will make available an independent protocol that online businesses can use to set up device-based authentication.

So, maybe this time we really are about to do away with passwords. More intriguing is whether they’ll be replaced with the Google ring, biometrics, behavioral recognition—or something more revolutionary.

Image Credit: Nick Carter (featured and banner), Dave Bleasdale (article), Flickr

Jason Dorrier

Jason is managing editor of Singularity Hub. He cut his teeth doing research and writing about finance and economics before moving on to science, technology, and the future. He is curious about pretty much everything, and sad he'll only ever know a tiny fraction of it all.

Discussion — 4 Responses

  • Improbus Liber February 4, 2013 on 2:40 pm

    I tried two factor for a while … to aggravating and time consuming. I guess I am just not paranoid enough. Sounds like what Google wants to do is use your phone as an RSA dongle. Well, if they can make it easy and secure, more power to them.

  • Herbys February 4, 2013 on 10:10 pm

    > There is no reason biometrics can’t be used to enhance online security
    Huh? I can give you quite a few reasons:
    1) biometrics are not a secret. In fact, most of your useable biometric info is all around you. I can take your fingerprints directly from the device I stole from you so now I have your device AND your “password”. Biometrics ad nothing to authentication, they only serve as identification (your username) at best. For the types of biometrics that can’t be easily lifted from the environment (e.g. retinal patterns) they are very awkward to use, and only require a bit more work to lift from the environment (e.g. if you can make a camera that reads your retina from 1cm away, you can also make one that can read it from 10m away. It’s called optics).
    2) Biometrics cannot be revoked. At least not without pain.
    3) Biometrics can’t be kept secret if you intend to use them. If you want to authenticate against Google you have to give them your secret info. Which is the same info your bank is going to ask. So once you use biometric authentication in two places, each place can impersonate you against the other.
    4) Biometrics are erratic. Even the best have a significant false rejection rate, and a non-zero false acceptance rate. Optimize for one and you lose on the other.
    5) Biometrics are risky. Ask the guys that purchased that expensive Mercedes Benz with a fingerprint scanner in the door handle. Cars were recalled one week after the first two owners had their fingers chopped by crooks. Fortunately they didn’t use an eye scanner.
    Finally, it is a fallacy that biometrics are a “what you are” factor. They are “what you have” which is information about your fingerprint. Since the sensor can only sense a limited amount of information about your body, in the end it is just info, and not even much of it.
    Biometrics have a very limited use in security. Pin pads, smartcards and the like are extremely awkward, but at least they DO provide some security.

  • Pete Wason February 13, 2013 on 10:25 am

    If you can’t remember a bunch of passwords, maybe you shouldn’t be using technology that requires passwords. I have many many passwords committed to memory. NBD.

    For example: 820BPe71=?!6Ff is the password for a new server I’m currently configuring It took me about two logins to memorize it.

    Grow a pair of hemispheres, willya?