Google Declares War on the Password

‘Passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe.’

— Eric Grosse and Mayank Upadhyay

Want an easier way to log into your Gmail account? How about a quick tap on your computer with the ring on your finger?
This may be closer than you think. Google’s security team outlines this sort of ring-finger authentication in a new research paper, set to be published late this month in the engineering journal IEEE Security & Privacy Magazine. In it, Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay outline all sorts ways they think people could wind up logging into websites in the future — and it’s about time.

2012 may have been the year that the password broke. It seemed like everyone on the internet received spam e-mail or desperate pleas for cash — the so-called “Mugged in London” scam — from the e-mail accounts of people who had been hacked. And Wired’s own Mat Honan showed everyone just how damaging a hack can be.

The guys who hacked Honan last August deleted his Gmail account. They took over his Twitter handle and posted racist messages. And they remote-wiped his iPhone, iPad, and laptop computer, deleting a year’s worth of e-mails and photographs. In short, they erased his digital life.

Passwords are a cheap and easy way to authenticate web surfers, but they’re not secure enough for today’s internet, and they never will be.
Google agrees. “Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” Grosse and Upadhyay write in their paper.
Thus, they’re experimenting with new ways to replace the password, including a tiny YubiKey cryptographic card that — when slid into a USB (Universal Serial Bus) reader — can automatically log a web surfer into Google. They’ve had to modify Google’s web browser to work with these cards, but there’s no software download and once the browser support is there, they’re easy to use. You log into the website, plug in the USB stick and then register it with a single mouse click.
They see a future where you authenticate one device — your smartphone or something like a YubiKey — and then use that almost like a car key, to fire up your web mail and online accounts.
In the future, they’d like things to get even easier, perhaps connecting to the computer via wireless technology.
“We’d like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity,” the Googlers write.
 
Source:
 

0 yorum: