Researchers at Google may soon make the password passe
Popular public opinion is that passwords for Internet accounts are a pain in the neck. Firstly, there is a chance of forgetting them and secondly, the more serious problem of hacking. With a dozen accounts peppered across various sites on the web, thinking up secure passwords and remembering them till the next login is a challenging task. Google VP of Security Eric Grosse and Engineer Mayank Upadhyay seem to agree strongly. The duo has written a paper in which they propose a hardware solution for authentication of online accounts. It is to be published in the IEEE Security and Privacy magazine later this month.
Grosse and Upadhyay are of the opinion that simple passwords and cookies are not secure enough for the Internet as it is today. Smart hackers have found means to circumvent the optional two-step authentication that Google introduced a couple of years ago for Gmail users. When activated, this system would send a 6-digit verification code via text message to the user’s registered mobile phone. Access to the account would be given only on entering this code (apart from the general password). Though this process was better than having a one-step authentication, it was cumbersome and added additional variables like mobile phone service availability. Now that this method too has proved to be penetrable, the search for a safer solution stands at hardware.
Hardware authentication devices proposed in the paper include a smartcard embedded finger ring and a USB key which when tapped onto/plugged into the computer would provide one step authentication and log in to Google services. Apart from these ideas, the one that is being more favored is using a cryptographic card incorporated into a USB stick which can be plugged into the user’s device(s). Think smartkeys like the ones developed by authentication innnovator Yubico. Apart from browser support provided by the search giant, no other extra application will be required to recognize the USB key. A device can be authorized with just a click of the mouse. If and when the trend catches up, logging into several small websites can be clubbed with the master log in performed with the USB key.
While this might seem like an exciting idea at outset, a physical authorization will just be another key to lose or misplace. Imagine you go to your workplace to find that you’ve left the USB key to your work email at home. Is that not just an unwelcome addition to the already byzantine list of potential things to forget? A physical password will also make it that much easier for those who want to steal it. Apparently, these are as many downsides to this proposition as there are advantages. After all, physical or digital, protecting your account is in your own hands.
The Google duo also say that a traditional password cannot be entirely done away with as it will still be required for major account modifications. Perhaps a combination of both would be a formidable barrier to miscreants. In this age of identity thefts and cyber crimes, the solution of a physical authentication is something worth trying out.
Nikhila is a gadget lover and passionate writer. She likes to keep up with social media and Internet culture in particular while staying updated about all latest gizmos. Nikhila is a mechanical engineer-turning-into-technical-writer. Bibliophile, Grammar Nazi, dog lover, foodie, casual artist.
21 January, 2013