Google Outlines Plan to Make Passwords Passe
Google is looking into physical authentication methods that would make passwords a thing of the past. Using a ring or other device to serve as a key for accounts would a be more secure method than password authentication, said Top Patch CEO Chiranjeev Bordoloi. "The average user uses the same password for everything. So when they go to a mom-and-pop website and buy something and that site gets hacked, a hacker has access to their e-mail."
01/21/13 11:21 AM PT
Members of the Google security team will publish a paper in next month's IEEE Security & Privacy Magazine examining scenarios in which passwords would be a thing of the past. Instead, users would turn to some sort of hardware device to unlock email, online shopping or banking accounts.
The article details one device, a Yubico cryptographic card, that slides into a USB reader to authenticate and log into a user's account. Google's vice president of security, Eric Grosse, and engineer Mayank Upadhyay experimented with the device on a modified version of Chrome, but beyond the proper browser, the system did not require a software download or any complex steps to function.
Eventually, the team hopes the technology could go wireless. Then, instead of the key, the technology could be integrated into a mobile device such as smartphone or even a piece of jewelry -- something people already carry with them -- to access accounts.
"We're focused on making authentication more secure, and yet easier to manage," Google spokesperson Jay Nancarrow, told TechNewsWorld. "We believe experiments like these can help make login systems better."
While passwords have been a cheap and easy way to protect online accounts so far, security breaches are becoming too common and egregious to continue on the same system. The past year saw a number of high-profile hacks in federal, enterprise and consumer accounts, including breaches of Microsoft's online store in India, Sony's PlayStation network, retail site Zappos and corporate networking site LinkedIn.
A combination of human error and an increase in the availability of advanced hacking technology is to blame for the rise in cyberattacks, said Chiranjeev Bordoloi, CEO of Top Patch.
"The biggest problem with passwords is a simple problem," Bordoloi told TechNewsWorld. "The average user uses the same password for everything. So when they go to a mom-and-pop website and buy something and that site gets hacked, a hacker has access to their e-mail, and they can reset the password at any site it chooses. Then, with the cost of GPU computing decreasing dramatically, the technology available to hackers to crack passwords is really state-of-the-art. A hacker can do magic with a gaming laptop that is packed with a password cracking system."
The question then becomes what to do in order to add online protection to user accounts. The idea of carrying around a piece of hardware or other token isn't out of the question as an answer to that problem, said Michael Murray, managing partner of MAD Security.
"It's entirely realistic," Murray told TechNewsWorld. "Users are quite comfortable carrying around physical tokens for authentication to most of their world -- their car and house keys fit that bill rather effectively."
There are also a few layers of security protection that can happen before consumers make the costly jump to a device-driven system, said Bordoloi. Passwords might become sentence-length rather than a six or eight-character word, or multi-step authentication, like many banking websites, will likely become more popular in e-mail accounts or retail sites, Bordoloi noted.
Then, corporations might become the leaders of adding a hardware component to security, said Bordoloi.
"This would be an expensive system, so corporations might take it on a risk-based approach," he predicted. "A company might execute this only for their finance employees, for instance. They're going to figure out what pieces of data are most important to protect, and take extra steps for those."
Still, that system would come with its own security issues, Kapil Raina, security expert and director at Zscaler, pointed out.
"This is a limited set of protections," Raina told TechNewsWorld. "After all, where is the key going to be? In the same bag as your laptop or iPad so protection against theft will be marginal - and if the user keeps the key engaged in the system the defense against remote attacks may also be limited. The financial community tried this years ago for the consumer without success."
Google the One to Lead the Charge?
While Google's ideas might be generating the buzz, it might not be anything revolutionary within the security space, Raina pointed out.
"Fundamentally there are game-changing innovations going around all over the authentication space, far beyond what even Google has imagined," said Raina.
Still, the company has the resources and customer base to lead the way in further consumer protection in ways a smaller, security-focused company couldn't, said Murray.
"There are really only a few companies that have the reach and the scope to do it," Murray noted. "Google is one of those. And I'm sure that the others, Microsoft, for example, will attempt to follow suit shortly."