By Christopher Williams
In a research paper, two security experts at the web giant have outlined a future in which the main way of guaranteeing we are who we say we are online will be possession of a physical token, perhaps embedded in smartphones or even jewellery.
They have added to growing claims that passwords are both inherently insecure and increasingly impractical.
To more make them more difficult for criminals to guess, web services have forced people to use longer passwords with different types of characters, but that also makes them more difficult to remember. To add to the headache, experts also advise against using the same password for different services, to reduce the impact if one is hacked.
“Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” said Google vice president of security Eric Grosse and engineer Mayank Upadhyay, in an article to be published in an engineering journal.
Cookies are small text files issued by websites to web browser software to keep visitors logged in once they have entered their password.
“We’d like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity,” the Googlers wrote.
Grosse and Upadhyay said they are currently experimenting with YubiKey, a tiny USB stick that implements highly secure “one time pad” cryptography to log in to Google services, as a replacement for passwords. In the future, they want similar authentication technology to work wirelessly and across all of a person’s online accounts.
“We’ll have to have some form of screen unlock, maybe passwords but maybe something else,” Grosse said, Wired reports. “But the primary authenticator will be a token like this or some equivalent piece of hardware.”